Ever since the Health Insurance Portability and Accountabiliy Act (HIPAA) Privacy Rule and Security Rule went into effect, most CEs (which include healthcare insurers, healthcare providers, and clearinghouses) have been watching to see if the U.S. Department of Health and Human Services (HHS) regulatory enforcement agencies would start enforcing compliance and applying fines and penalties.

A significant portion of CEs, particularly healthcare providers, have done very little to be in compliance beyond creating a notice of privacy practices (NPP). Most still do not have ongoing training and awareness, internal policies, or supporting procedures. And until this story I had not heard of any CE having a clearly defined sanctions policy that was actively and consistently enforced.

So far significant numbers of CEs have not been serious about compliance; but it will be interesting to see the results of the Piedmont Hospital HIPAA audit that was started a few months ago and how it impacts what CEs do for compliance.

This morning I read a story in the Laramie Boomerang, "HIPAA violation to view own records."

Since August 28 of this year the Ivinson Memorial Hospital has applied many sanctions for violating their HIPAA policies. They have:

* Terminated 1 employee

* Placed 3 employees on a 3-day suspension

* Placed one employee on a 24-hour suspension

* Given 4 employees written reprimands

The Ivinson Memorial Hospital reportedly has a very active HIPAA compliance program in place, including some impressive-sounding awareness and training:

* "“The HIPAA regulations, our interpretation of them … is that you can’t look at your own records or any family member records unless there is a clinical need to do so,” Interim IMH CEO Nick Braccino said. “If you are doing so just because they are there and you have a private interest, you are violating HIPAA regulations and patient confidentiality.”"

It is important to note that they established policies and procedures based upon THEIR INTERPRETATION of HIPAA AS IT APPLIES TO THEIR ORGANIZATION. The way HIPAA is written it REQUIRES CEs to establish policies and procedures within the defined compliance areas based upon each CE's own unique situation and assessment of risks.

* "Trustee Dan Baccari stated that employees are allowed to view their own information when accessed appropriately."

The hospital reportedly has procedures in place to allow employees access to their own information, and are holding the personnel to following those procedures, even if their systems authorizations allow them to access their own information without following the procedures.

* "Braccino said that since the installation of MEDITECH systems allowing administration to track the information employees view, several cases like these have arisen. Each violation, he said, will be looked at on a case-by-case basis. No one, he said, will be terminated solely for viewing their own information. However, he added, employees who view their own information and commit other violations might face severe reprimands. Hospital administration, he said, will act as consistently as possible in addressing HIPAA violations while considering them on an individual basis."

The hospital has implemented logging systems to keep track of access to protected health information (PHI) and are monitoring it to discover noncompliance.

They are applying sanctions consistently while taking each individual situation into consideration.

This is great!

* "At 37 training sessions throughout the year, HIPAA regulations — including those over viewing one’s own records — have been reviewed, IMH Compliance Officer Dean Jessup said. HIPAA regulations stating that employees are not allowed to view their own or others’ records have been posted at each of the hospital’s time clocks and other well-traveled locations, Jessup said. He added that disciplinary action was taken in at least two cases against people who admitted that they were aware they were committing a violation by viewing their own or others’ records."

The hospital has what sounds like a great, comprehensive education program including ongoing training and awareness activities. Having posters and messages posted where people gather is a very good way to demonstrate that an organization is doing all it can do to get personnel informed of the procedures and rules.

What's funny is that one of the hospital employees in the report was quoted as saying,

“I’ve been in health care 19 years and I, until today, I didn’t think there was anything wrong with me looking at my records”

It's hard to claim ignorance and have it be a valid defense for not following policies with such an active training program and so many awareness messages throughout the facility, all well documented.

The hospital is also actively applying sanctions. This is another important HIPAA requirement, but too many organizations fail to apply sanctions, or they apply them inconsistently.

This report would make a great case study for CEs to use within their HIPAA training. Go through the situations point-by-point and discuss how the parallel situations would be handled within your own organization.