Recently,
several employees of Cedars Sinai Medical Center were fired for improperly accessing the Protected Health Information (PHI) of Kim Kardashian (a reality TV personality) who went
through her entire pregnancy with cameras in tow. You can be pretty confident that Kim will
lament this invasion of her privacy for several episodes.
Regardless
of the cameras and dissemination of information by the patient, the covered
entity has no choice but to protect Kim’s PHI under the HIPAA Security and
Privacy standards. This incident is a
teachable moment for your practice and your staff, and a warning for both.
By
September 23, 2013, your organization is required to have implemented the HIPAA
Omnibus rules. If you are like many
practices, you will also need to implement overdue changes for the HITECH rules. The HIPAA Omnibus rules dramatically affect
the concept of a breach.
Kim’s situation
illustrates the dilemma facing your organization under the Omnibus rules.
Under the pre-Omnibus rules, a breach
required harm to the patient’s financial situation or reputation. In Kim’s case, you could have at least had a
discussion on whether there was harm.
The employees would have still been sanctioned for violations of your
HIPAA Privacy Policies and Procedures, but the covered entity may have avoided
a breach and the potential penalties, etc.
Your practice may have “reasonably” taken the position that the public
disclosure of the information did not do harm since Kim had the whole thing
broadcast on Cable TV, etc. Before HIPAA Omnibus, there was
no documentation requirement for such an analysis and many covered entities do/did
not keep documentation on their breach analysis. Kim could file her own complaint (makes great reality television), but the
covered entity may have “reasonably” avoided admitting to a breach in the
pre-Omnibus era unless Kim claims otherwise.
This is not a legal opinion, but it does illustrate the wide latitude in
the pre-Omnibus environment.
Under the HIPAA
Omnibus rules, Kim’s situation is clearly a breach since the Omnibus Rules only
require that there not be a low probability of compromise of Kim’s PHI. Kim’s PHI was clearly compromised by the
covered entity staff and the information went out to unauthorized parties. But wait, there is more.
Under HIPAA
Omnibus, you have to analyze any impermissible disclosure and use of PHI and
keep the documentation. Indeed, Kim’s
breach could open up your covered entity to an examination of previous
impermissible disclosures and/or uses that could affect the actual penalty or
even expose your organization to additional penalties for previous events that
were analyzed in a less than good faith manner.
This
illustrates the importance of avoiding impermissible uses and disclosures of
PHI by vigorous compliance efforts, effective training and building a practice
culture that protects PHI from events and behavior that could lead to an impermissible use and disclosure or even a breach. For more on this, click here.
Under HIPAA
Omnibus, impermissible uses and disclosures leave a documentation trail that could
substantially impact on your future breach risk and even your penalties.
For expert advice on policies and procedures you need to serve
your patients, contact Sterling Solutions at (800)967-3028 or click here.
© Sterling Solutions, Ltd, 2013
No comments:
Post a Comment