With all the talk about encryption and other high-tech ways to safeguard protected health information (PHI), Health Insurance Portability and Accountability Act (HIPAA) violations still can be traced to the simplest task: jotting down notes about a patient on a piece of paper.
The risk posed by handwritten notes was illustrated recently when AccessHealthCT, the health insurance exchange in Connecticut, announced a HIPAA breach traced to an employee of a contractor. The employee left a backpack containing the PHI of 400 of the state’s residents on the street. The PHI was written on a notepad and included various combinations of the customers’ names, birthdates, and up to 200 Social Security numbers. AccessHealthCT said the contractor apparently was using the data to work away from the office.
The contractor who employed the owner of the backpack is Maximus, the firm that operates the exchange’s call center. On the day of the breach, AccessHealthCT CEO Kevin Counihan said they were working with Maximus to address the situation, including the possibility that the employee left the backpack intentionally as part of a plan to steal the PHI. Maximus leaders put the suspected employee on an administrative leave while it investigated the incident further, and they soon announced their conclusion that the employee unintentionally left the backpack.
Maximus sent 395 letters to those affected offering them options to help protect their identity at the company’s expense. (See the story on p. 3 for advice on contractors and HIPAA security.)
Even in the age of electronic records, handwritten notes still are common and pose a significant risk, says Timothy B. Adelman, JD, an attorney with LeClairRyan in Annapolis, MD. In addition to contractors and others who might jot down notes as part of their work, Adelman points out that nurses and other clinicians routinely make written notes. Nurses often write notes about patients just before a shift change, for example, so they can refer to them when briefing the oncoming staff. Those could contain PHI, but don’t always.
Written notes common
That "minimum necessary" phrase will mean that handwritten notes should never include more information than is strictly necessary to achieve the task, and Wagner says it rarely would be necessary for a note to include information such as a patient’s full identification and Social Security number.
Jotting down a patient’s lab value so it can entered in the electronic record later is a common habit, Adelman notes. That information probably would not rise to the level of PHI unless the note contained enough information for another party to figure out the identity of the patient, Adelman says.
"If it only says `Room 1’ and notes about the patient’s condition, that might not be PHI, but if the note includes the patient’s initials or full name, the room number and date, that might be enough to make it PHI," Adelman says. "Nurses may take these notes home with them at the end of the day, in their bag or the pocket of their scrubs, and that could lead to a breach."
The solution is to require that nurses leave those notepads at the hospital, in a secure location such as their lockers or a locked cabinet on the unit, Adelman says. Destroying the notes, preferably by shredding, also is an option.
Completely prohibiting such handwritten notes is not practical, Adelman says. It is wise, however, to include education about the risk of handwritten notes in all HIPAA training and to have a policy that restricts how much information can be written down and how the notes are stored or destroyed, he says. "You also should expect any contractor or independent provider to adhere these policies as well," Adelman says. "It’s important that you not just give it lip service by saying in the contract that they must adhere to your policies and procedures. There should be a mechanism by which they acknowledge that they receive these policies and procedures and that they agree to abide by them."
Adelman has handled several cases involving shift change notes written by nurses, which can be important in proving what was or wasn’t conveyed to the other nurses and physicians. For HIPAA security and risk management concerns, Adelman always has recommended policies that prohibit taking those notes home.
"We’ve also handled a case in which a physician had his car stolen, along with a lot of paper patient records he had in the trunk. The Office for Civil Rights has made it clear that losing that kind of document, whether in paper or digital form, is a violation," Adelman says. "We strongly encourage people not to take paper records anywhere that makes them vulnerable."
Handwritten notes are not the whole problem, notes Brad Rostolsky, JD, an associate with Reed Smith in Philadelphia. Any hard copy record can lead to a HIPAA breach, he says. In one case with which he is familiar, a hospital employee accidentally left a stack of printed records on a subway train.
"The biggest issue with printed out, hard copy records is that you just don’t know whose information is at play," he says. "With electronic records, there is a backup somewhere, and you know what is lost or accessed. With handwritten records or printed copies, the tough question is, who do you notify?"
The answer usually will be "everybody" or at least a very liberal estimate of whose information might have been included, Rostolsky says. That broad notification means the impact of the breach could be much larger than if the data were electronic, he explains.
If a healthcare provider needs to use paper records – handwritten or printed – in some instances because going electronic is not feasible for that data, Rostolksy says there should be policies and procedures on how to track that information. Institutional pharmacies create paper records when delivering prescriptions, for example, and it would be nearly impossible to eliminate them. Those records can be protected with policies that require the records to be safeguarded at all times and not treated like just any other piece of paper. (The loss of paper records accounts for nearly a quarter of HIPAA breaches. See the story on p. 3.)
"If that kind of policy gets in the way of people taking home a stack of paperwork to work on in the evening, it might be time to move toward a system that allows them to log in to the system from home and work that way," Rostolsky says.
HIPAA education efforts should include pointing out that the notepads and other written materials can lead to a breach. It is easy for people to dismiss a notepad as harmless, with just casual notations that don’t really constitute PHI, she says.
"Unfortunately many healthcare organizations will not recognize the danger posed by paper records until they have a breach of that type," Wagner says. "Then they will be alarmed and wonder why they have so much paper floating around."
Timothy B. Adelman, JD, LeClairRyan, Annapolis, MD. Telephone: (410) 224-3000. Email: email@example.com.
Brad Rostolsky, JD, Associate, Reed Smith, Philadelphia. Telephone: (215) 851-8195. Email: firstname.lastname@example.org.
Patricia Wagner, JD, Epstein Becker Green, Washington, DC. Telephone: (202) 861-4182. Email: email@example.com.