HIPAA Settlement Highlights Dangers of Employee Snooping
Today's installment of "health care entity fined for having nosy employees" hails from Los Angeles, California, where the UCLA Health System has agreed to pay the U.S. Department of Health and Human Services $865,000 to resolve privacy breach allegations. The settlement agreement stems from complaints filed by two celebrity patients, who alleged that from 2005-2008, unauthorized employees improperly accessed the patients' protected health information in violation of HIPAA.
Providers should heed an important lesson from this and other similar settlements - although the employees did the snooping, at the end of the day the providers were the ones footing the bill for the privacy violations. Therefore, every health care provider should, at a minimum, take the following steps:
1) Educate ALL employees on how protected health information (PHI) may be properly used - i.e., PHI may ONLY be accessed for treatment, payment, or health care operations. Employees should understand that simply because they work for a health care provider, it does not grant them unfettered access to peruse all patient records.
2) Privacy policies should be clearly outlined in an employee handbook or manual, along with guidelines for how employees should report suspected privacy breaches.
3) Providers should carefully screen all potential employees, from licensed medical personnel to receptionists. Specifically, hiring employees with questionable or unknown backgrounds increases the risk that employees may use PHI for personal gain - for example, selling information about a local celebrity to a tabloid or even maliciously disseminating the information on Facebook, Twitter, etc. to gain popularity.
Providers with questions about how to best protect themselves from privacy breaches should contact an experienced health care attorney. At a minimum, every provider should have a comprehensive employee handbook, copies of which should be given to ALL employees.
