Memorandum warned staff: Don't peek

This is an excerpt from the memorandum sent to all University of California, Los Angeles (UCLA), employees at 9:20 a.m. on Jan. 31, 2008, by chief compliance and privacy officer Carole A. Klove:

"Our patients' privacy and the security of their medical information continue to be a top concern for UCLA Health System. Ensuring the confidentiality of patient information is not only a commitment made to our patients but also directly impacts the patient experience as it comforts them to know that they can trust UCLA Health System to keep their medical information and Protected Health Information (PHI) safe. This year, we are implementing additional safeguards for our patients, including a Privacy Code, which will allow patients to designate specific individuals to receive information from their care providers.

"Each member of our work force, which includes our physicians, faculty, employees, volunteers, and students, is responsible to ensure that medical information is only accessed as required for treatment, for facilitating payment of a claim, or for supporting our health care operations, such as quality improvement... . Please remember that any unauthorized access by a work force member will be subject to disciplinary action, which could include termination."

Hospital issues stern warning

A similar warning was issued to staff at The University of Texas Medical Branch (UTMB) in Galveston in October 2007 after a privacy breach involving actor George Clooney at a New Jersey hospital.

More HIPAA cases could go to court

Repeated high-profile violations of the Health Insurance Portability and Accountability Act (HIPAA) such as the recent case involving singer Britney Spears may result in more privacy cases going to court, says Susan J. Elliott, JD, MEd, a former emergency services psychiatric clinician and currently an attorney with the law firm O'Melveny & Myers in New York City.

"I have followed with interest the viability of taking HIPAA violation claims to court. While it is not common, I think it might change if these violations continue to occur," she says.

Since HIPAA's origins in 1996, it has been rare that the cases go to court, with most being resolved through fines, she explains. That trend could be changing, Elliott says. Cases in Florida and North Carolina show a new willingness to allow HIPAA breaches to go to trial, she says.

"In North Carolina, a doctor was sued for negligent infliction of emotional distress because [a patient's] medical records were leaked. The doctor moved for summary judgment, believing that the case had no merit. The court granted summary judgment, but the court of appeals reversed it," she says. "The court held that HIPAA is a standard of care and, like other legal standards of care, carries consequences when breached. Therefore a patient's private health information is to be guarded, and failure to do so could result in lawsuits."

While the North Carolina decision is not controlling in other states, it could be used persuasively to convince another court to hold doctors and hospitals to the strict HIPAA standards set out in the law, Elliott says.

"Employees must understand that compliance with HIPAA is not optional," she says. "If high-profile patients come into a facility, the administration must take all measures to protect that person's medical records. If not, these cases could wind up in court."

The compliance officer at UTMB took advantage of the publicity surrounding the New Jersey incident to remind the Texas staff about privacy concerns. Jim Kelso, privacy officer and associate director for the Office of Institutional Compliance at UTMB, issued a reminder to staff that said, "Patient privacy is serious. The workers at the New Jersey hospital were suspended for a month without pay. At UTMB, disciplinary actions for violations of patient privacy include termination. Violations under HIPAA can also lead to imprisonment and criminal fines if criminal charges are filed."

Kelso reminded staff that any UTMB employee who opens a patient's record, regardless of whether the employee changes the file, can be tracked. He also warned them that the hospital will use "every available resource at UTMB during the investigation, whether it involves conducting an interview, checking the logs in Health Information Management, or accessing the electronic logs found in any information resource."

His memo also cited these examples of inappropriate reasons to access a patient's information:

  • You are curious whether a person you know was admitted to the hospital.
  • You know the patient and are concerned about his or her health.
  • You are involved in a family dispute and want information about the welfare of a family member.
  • You need the address or phone number of a patient for a non-UTMB business reason.
  • The patient asks you to access the information as a personal favor, which is not part of your job role.