HIPAA in the Real World (Part 1): Why Compliance Matters

Now, I know this HIPAA stuff can seem a bit dry and arcane, and we’ve covered a lot of different rules. But, let me show you how this can come up in real life.

I got a call on my cell phone from the CEO of a large medical group in Los Angeles. They were absolutely panicked. It was a Sunday afternoon, and they’d just learned that one of their nurses had been in a lovely barbecue, but unfortunately, she’d brought a bunch of patient files. As I mentioned, she left them in the car. And all the files were gone.

So, someone had broken in, and the files involved 100 patients. Now, it could have involved three, but it happened to be 100, which is bad news. It means that someone got names, phone numbers, addresses, social security numbers, drivers licenses, a lot of sensitive information. What the patients were being treated for, who their doctors were, the drugs that they’d been on, every kind of treatment, even who their ministers were. This wasn’t good.

So, the CEO was furious, and the HR director was wondering what to do. Frankly, they were doing the math. 100 patients, violations per patient, it was starting to add up. They were wondering, was someone going to find willful neglect? Had they really covered their bases before? How bad was this going to be? And they were wondering about the media implications as well.

So, first of all, I had to calm them down, and just get the facts. The first thing you have to do when a HIPAA violation arises is you have to go in and find out exactly what was taken, what were the circumstances, what was the information, what data was involved, how many patients, and what was all the groundwork that the organization had done or had neglected to do leading up to the incident.

Did they have any policies and procedures in place? Did they just get them off the internet? Were they in a binder somewhere? Did they do any training? Did they talk to staff? What did they do with the employee? What should they do? Did they have those administrative, physical and technical safeguards? Did they know the difference between the different kinds? How extensive were the policies? Did they address this kind of incident?

Because these kinds of things are predictable, and that’s why these rules, even though they seem esoteric, are so detailed and so complicated. Because they actually give you a checklist where, if you’re going to get audited by the government, you know in advance exactly what to have in place.

Going back to the training, did the employee know that she should have just had all of this sensitive information in the front seat of her car? Was she someone who paid attention at the training? Did she sign in? Was there a record of that? Or, someone who skipped the training and nobody followed up on it? Or maybe she was someone who’d been properly trained, but simply went rogue on her own, and, in such case, maybe the institution did everything that it could. The medical group did everything that they could have done to prevent this kind of problem, but the employee just went off on her own. What had they done to protect unauthorized use and disclosure of PHI?