HIPAA and zero tolerance rules


Does your organization have zero tolerance for violations of patient privacy? If not, perhaps recent events show the value of having such a policy.

In the example of HIPAA policy enforcement, Tucson’s University Medical Center has fired three employees this week for violating patient privacy. The hospital reported that three employees were dismissed for improper access to medical records of patients who participate in a prominent shooting rampage that involved representative Gabrielle Giffords. This incident led to the death of six people and left representative Giffords in critical condition.

rules and procedures should clearly state that patient privacy must be protected. It includes limiting access to health information to those who have a need to know.

Education is important in your business. Employees should be trained on HIPAA rent and annually thereafter. Training materials should include patient privacy, security, and how the laws and regulations applicable to the unique work environment of the individual.

Access to information is limited to the individual’s need to know based on their role. This role-based access shall be reviewed annually as part of the compliance program phone.

You also must be able to track who has access protected health information. Access logs will show you who has examined the patient record. I imagine it was that access logs that led to the discovery of workers to access files on University Medical Center in Tucson. Without access logs, you will not be able to tell if you’ve got a break.

rules should also include sanctions policy. Sanctions do not necessarily have to be “zero-tolerance” policy for any errors. There may be times when something happens that was a simple mistake. However, if you have a policy of zero tolerance, to be ready to follow through with it by dismissing employees when they violate the policy.

In the case of high profile case like the one in Arizona, zero-tolerance is the wisest choice. There is too much risk that this information could be obtained for all the wrong reasons. In the end, access to patient information for reasons other than what is necessary to provide health care is wrong. Access to it with the possibility of personal gain, sell it to the media, etc., is totally unacceptable. Note that there is no evidence that’s what happened with this particular offense; it is, however, a higher risk of such a problem when you are patient prominent.

In the end, the policy of zero-tolerance in your business, and be sure you maintain it, do all the shows you are serious about patient privacy. It may also protect you should you have to defend yourself in court or to the government in the case of a violation.

Training is important. Have you done annually HIPAA training staff this year?


Leave a Reply

Your email address will not be published. Required fields are marked *