Healthcare News & Insights

HIPAA settlements break records: How hospitals can minimize their liability

The Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) just had a record-breaking year of HIPAA enforcement. Because the feds plan to continue this trend, that means hospitals must be vigilant about securing patients’ health data – and regularly remind staff of their responsibilities under the law. 

In 2018, OCR collected $23.5 million in settlements and judgments from facilities that committed significant HIPAA violations, according to a press release from HHS.

This figure included the largest individual HIPAA settlement of all time: a $16 million payout from Anthem for a data breach involving a cyberattack that compromised the electronic protected health information (PHI) of almost 79 million patients.

While most HIPAA breaches may be smaller in scale, they still have the potential to hurt a hospital’s bottom line, especially if a high-profile individual is involved. Facilities could face financial consequences from both OCR and an individual lawsuit.

HIPAA trouble

One hospital in Chicago may find itself in a similar situation after discovering that many employees may have accessed a celebrity’s medical records without proper authorization.

“Empire” actor Jussie Smollett was admitted to Northwestern Memorial Hospital after sustaining injuries from an alleged hate crime attack. Because the case made national headlines, staffers became curious and searched for his records in the hospital’s electronic medical records (EHR) system, as discussed in an article from NBC Chicago.

Once this came to light, Northwestern reportedly fired close to 50 employees, claiming they had no reason to access Smollett’s medical records. Some employees said they had a valid reason to do so, but the hospital refused to reverse its decision.

Even after terminating the employees, Northwestern will have to report the breach both to HHS and the actor himself. And in a time when OCR is cracking down on HIPAA enforcement, the hospital may have an expensive situation on its hands.

Staff reminders

Beefing up your cybersecurity to prevent breaches is meaningless if hospital employees are willing to bypass safeguards such as password protection and encryption to satisfy their own curiosity about patients through unauthorized searches. It’s equally important for a facility to train staff who have access to patient records about their responsibilities under HIPAA.

Remind employees that medical charts should only be accessed for valid reasons related to a patient’s treatment. Secure EHR login credentials shouldn’t be shared with other staff who aren’t permitted to access the system, and computer screens should be hidden so only authorized employees can see charts when they’re open.

Discretion is key. Staff should err on the side of caution and avoid even discussing patients in areas where they could be overheard by people who aren’t authorized to know about their treatment. They should also refrain from “gossiping” about patients – whether they’re famous or not. Tell staff that this also extends to any posts on social media, even if they have private accounts.

In addition, printed copies of patient records (and other info such as medication lists and lab results) should be secured and stored away from prying eyes. When disposing of documents with PHI printed on them, they should be shredded or placed in a locked bin to be destroyed off site.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind