Departing Nurse's HIPAA Breach Spurs New Privacy Policies at URMC — A Case In Point for Reviewing and Tightening Practices
ARTICLE IN BRIEF
A medical-privacy breach at the University of Rochester prompted a change in its policy to better comply with the Health Insurance Portability and Accountability Act. Experts discuss the need to review and, sometimes, revisit practices involving the handling of patient data and information.
When a nurse practitioner who had cared for multiple sclerosis patients at the University of Rochester Medical Center (URMC) for nearly 15 years announced that she would be moving to private practice, the department generated a list of her patients in order to send letters notifying them of her departure. After discussions on how best to maintain the quality of care, the list was given to the nurse to identify higher risk patients and those needing customized follow-up plans. Colleagues in the department of neurology did not anticipate any problems.
“This was a dedicated employee whom everyone knew and trusted,” said Neurology Today Associate Editor Robert G. Holloway, MD, MPH, FAAN, a professor and chair of neurology at the medical center. “She had a lot of knowledge about our patients, and she told us she would use the list to help with continuity of care, so we could reassign patients to other faculty and providers who might be the best fit for them.”
Instead, she gave the list of patients to her new practice, Greater Rochester Neurology (GRN), and all of the more than 3,400 patients on the list received solicitation letters from GRN advising them that the nurse practitioner would be leaving URMC and inviting them to switch their care to that private practice. When patients began calling the department of neurology to report the breach, an investigation ensued and the nurse practitioner was ultimately terminated before her planned departure date.
In December, New York State Attorney General Eric Schneiderman announced that URMC would be fined $15,000 for the Health Insurance Portability and Accountability Act (HIPAA) breach — a relatively modest amount that, according to URMC Senior Associate General Counsel Spencer Studwell, suggests the violation was an anomaly in an otherwise strong program of patient privacy protections.
“It was a little too easy to just push a button and generate a list, and in our particular case there was a belief on the part of the person who generated the list that there was an appropriate use for it,” said Studwell.
He acknowledged that the supposed need to generate an entire paper list of patients — which could then be taken out of the practice and handed over to another — doesn't withstand scrutiny in retrospect. “She could have simply made notes on each individual patient of hers in the electronic medical record. But the assumption was that she was still a member of the team and trying to do the right thing.”
The URMC case is not the only breach to have occurred in an academic medical center in the past year. Since last July, the University of California, Los Angeles (UCLA) has been dealing with the fallout from reports that hackers may have accessed sensitive data on as many as 4.5 million patients.
These cases reflect the complexities of compliance with medical-privacy regulations in an age of open access to electronic medical records and large datasets, experts in the growing field of informatics said. And the reports serve as a reminder that all requests for patient information should be carefully vetted, and privacy policies need to be periodically reviewed and adjusted.
In fact, that was what happened at URMC. After notifying all patients about the violation and the promise it had secured from Greater Rochester Neurology that all their data had been deleted from its records, URMC turned its attention to putting further protections in place to ensure that a violation like this would not be repeated.
The departure of the nurse practitioner made us vulnerable, said URMC Associate Vice President for Communications Chris DiFrancesco. “Most organizations, ours included, have been focused on patient privacy in a lot of different contexts, but we identified that final few weeks of a provider's employment as a gap. When a provider is leaving the organization for a position elsewhere, they often want to send their patients a letter to let them know. In our case, we didn't have tight control over how that should be done, who should have access to the list of patients, and who would be responsible for the control of that information. I suspect that many health care organizations have a similar gap in their privacy programs.”
The new URMC standard mandates that when any employee who has access to protected health information (PHI) is leaving, institutional leadership including the department and/or division chair must be notified within two days. The employee is given a copy of URMC's departure protocol, which specifies that “A departing employee with an ongoing relationship with patients must be specifically advised that he or she is not authorized to provide patients with initial notification of their departure, and that the Department will provide the necessary notification to patients.”
That notification, the standard states, should include the departing practitioner's last day seeing patients at URMC, details concerning the patient's options for ongoing care, and what the patient can expect regarding scheduled appointments set to occur after the departure date.
Standard sample letters have been developed for this purpose. They would typically be signed by the department chair, although the standard permits it to be delegated to a division chief or other faculty member on a case-by-case basis. The departing faculty member may, in some circumstances — such as a retirement — be authorized to sign the letter personally, but the chair must always approve the contents of the letter, and it must be sent out by the medical center on official department letterhead.
And the standard specifies, “Under no circumstances will the departing employee be provided a list of patients or otherwise given permission to send letters or other communications directly.”
TRUST, BUT VERIFY
“There's a natural inclination to trust each other when you work together on a care team,” DiFrancesco said. “If a colleague is asking for patient information, you're inclined to give it to them. Now, we have policies ensuring leadership oversight at the department level to make sure that trust isn't abused. This new standard lets everyone know precisely how transitions should be handled when an employee involved in patient care is leaving. We've also incorporated protections into our on-boarding orientation, to ensure that a provider being hired does not bring in protected information that would constitute a breach.”
The URMC case highlights the complex interplay of access to large electronic data sets and privacy protections, said Allison Weathers, MD, FAAN, an associate professor in the department of neurological sciences and associate chief medical information officer at Rush University Medical Center in Chicago. “As people do more and more quality reviews, departmental projects, and other initiatives that require access to big data, we need to be much more educated about the privacy implications. I work closely with our data management team, and we're getting more and more of these requests — like ‘I need the list of all the patients I've seen over the last year with migraine.’ We need to be cautious with our responsibility as custodians of this information, to vet these requests and make sure the data are being used in an appropriate way.”
But all the policies in the world won't keep someone with bad intentions from misusing data, warns James A. Russell, DO, FAAN, vice chair of neurology at Lahey Hospital and Medical Center in Burlington, MA, and chair of the AAN Ethics, Law, and Humanities Committee. “I have a database, for example, on all my ALS patients. If I were devious and had secondary motives I could easily steal that database and use it, but that's no different than any other crime. If an employee is truly intent on misusing data, it's very hard to stop them. It isn't Rochester's fault they had an employee who chose to do that.”
The Reagan-era “trust, but verify” adage is essential in this context, said Dr. Holloway. “Anytime someone is departing or lists of patients are being generated, it should make the hair on the back of your neck stand up to get your attention. As people are competing for patients across health care systems and the financial incentives become greater, the risks are enormous, and it can be very easy for something that seems small to slip by and become a huge issue.”
HOW DO YOU ADDRESS HIPAA COMPLIANCE?
Have you had to adjust or develop new policies in the last year to address medical-privacy regulations or the risk of a data breach? If so, we'd like to share your strategies and policies. Submit your responses, using the subject line HIPAA Responses, to: NeurologyToday@wolterskluwer.com.