Journal Logo

At Your Defense

At Your Defense

Violate HIPAA and Lose Your Shirt

Reyes, Carlo MD, JD

Author Information
doi: 10.1097/01.EEM.0000464076.41829.e9

    Patients presenting to the emergency department are vulnerable. Distracted by pain and fear of serious illness, they rely on emergency providers to take care of them and safeguard their medical history. EPs generally understand the importance of patient privacy. We keep our voices down in hallways and engage in private patient conversations away from other patients.

    Since the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), however, the complexity of health care delivery has created unexpected ways in which providers may violate the act. The number of HIPAA violation complaints reviewed by the Office for Civil Rights, in fact, has increased exponentially over the past 10 years.

    Each HIPAA violation may cost up to $50,000, especially where violators demonstrate a willful neglect of its privacy rule. With the recent HIPAA Omnibus Final Rule increasing the maximum penalty per year for each violation from $25,000 to $1.5 million, providers have no choice but to implement safeguards to protect against costly HIPAA violations.

    Providers love their mobile phones. Eighty percent of physicians reported using mobile phones in their clinical practice as of 2011, a percentage that is undoubtedly higher in 2015. (, May 6, 2011; As EPs utilized mobile phone technology to take more efficient care of patients, lost or stolen mobile devices became the number-one cause of HIPAA breach, representing 68 percent of violations since 2012. (HIT Consultant, Nov 4, 2014;

    Most hospitals implement bring-your-own-device policies that define the appropriate use of mobile devices necessary to protect personal health information. Understanding your hospital's policy could prevent costly violations. Texting has become the preferred method for care team members to communicate treatment plans, but SMS texting utilizes insecure cellular phone networks. SMS texts can reside unencrypted in non-HIPAA compliant wireless carrier servers indefinitely, making it easy to locate such information, whether during a HIPAA audit or in e-discovery during litigation.

    EPs commonly remove the personal health information when texting, and images of EKGs and radiographs that do not show the patient's name or other patient identifiers do not violate HIPAA, even if the image shows up in the wrong mobile phone. Hospitals should prefer a more secure solution, such as HIPAA-compliant instant messaging programs that provide a secure means to communicate personal health information to members of the care team.

    Medical scribes have transformed health care delivery out of technological necessity. Electronic medical record systems increase the time needed for provider documentation, and medical scribes help EPs maintain a high level of productivity. The presence of scribes, however, creates additional HIPAA breach possibilities. But any member of the health care team can cause hospitals to violate HIPAA. Many notable examples exist where hospitals have paid substantial penalties because unscrupulous nurses and physicians disclosed personal health information, inadvertently in social media or blatantly by selling stories to the news media.

    One unfortunate example, however, illustrates the risk created by scribes in particular. A scribe employed by an EP group improperly obtained a young female patient's phone number after seeing her during her ED visit, called her when she got home, and asked her on a date. This single HIPAA violation could cost the EP group $50,000. Medical scribes place a particular liability among EPs by virtue of their business relationship with physician groups. Under HIPAA, scribe companies are business associates of EP groups who access personal health information to assist EPs in documentation. Alternatively, EP groups directly employ scribes. In either scenario, EPs must take particular care to prevent scribes from committing HIPAA breaches.

    Business associate agreements protect EP groups by requiring scribe companies to comply with the HIPAA privacy, security, and breach notification rules intended to protect against impermissible use or disclosure of personal health information. A well-written agreement appropriately confers to scribe companies the duty to ensure its scribes receive proper HIPAA training, the obligation to pay monetary penalties for violations committed by scribes, and the requirement to report certain HIPAA breaches to the Office for Civil Rights. Generally speaking, in the absence of a business associate agreement or in the presence of a poorly constructed one, EP groups may be liable not only for their own HIPAA violations but also for those of their scribe company.

    Access the linksin EMN by reading this on our website or in our free iPad app, both available Comments?Write to us

    Copyright © 2015 Wolters Kluwer Health, Inc. All rights reserved.