Archive for March, 2010
Connecticut Attorney General Richard Blumenthal is investigating his second case involving HIPAA violations this year, using again a legal authority granted to state attorneys general under the HITECH Act signed into law February 2009.
Blumenthal’s office confirmed in a statement Monday that it is pursuing a case involving allegations that a radiologist formerly affiliated with a Connecticut hospital improperly had access to the records of nearly 1,000 of the hospital’s patients.
Three months ago, Blumenthal announced he was suing Health Net of Connecticut, Inc., after the insurer reportedly failed to secure private medical records and financial information of 446,000 Connecticut members and then did not promptly notify them of the possible security breach for six months.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog, says the power granted to state AGs to pursue lawsuits is a major change for HIPAA enforcement.
“Combined with the ability of individuals to get a ‘piece of the pie’ when penalties are handed out, this will be the biggest game-changer in HITECH,” says Drummond. “In my opinion, you can forget about the data breach notification provisions, the direct regulation of business associates, or the increased penalties. The biggest game-changer in HITECH is the added ability of state attorneys general to act as ‘HIPAA police.’ Making BAs directly subject to HIPAA doesn’t change much if the soft enforcement regime of OCR stays the same; increasing the penalties doesn’t matter if no penalties are being assessed. But, add the new AG enforcement powers to the right of affected individuals to share in any fines or penalties collected, and the entire enforcement calculation changes.”
The hospital involved in this week’s case is Griffin Hospital of Derby, CT, a 160-licensed-bed facility that handled about 7,500 admissions last year (179,000 outpatients). Griffin confirmed the breach of protected health information (PHI) in a statement on its Web site.
From February 4 to March 5, Griffin said an investigation revealed a radiologist previously affiliated with the hospital or on the hospital’s medical staff used the passwords of other radiologists and an employee within the radiology department to gain access to 957 patient radiology reports on the hospital’s Digital Picture Archiving and Communication System (PACS). The reports included patient name, exam date, exam description, gender, age, medical record number, and date of birth, according to the facility.
The radiologist, once contracted with Griffin for radiology professional services, had authorized access to the hospital’s PACs system. However, his employment with the radiology group was terminated on February 3, 2010, Griffin says, and his password revoked.
But through its investigation, Griffin learned of a repeated, unauthorized access from a single computer to its PACS. Its audit identified the former employee’s computer Internet Protocol Address as the one that made the inappropriate access.
The former employee downloaded the image files of 339 of these patients, Griffin said.
HealthLeaders Media on Tuesday asked a Griffin Hospital spokesperson if the former radiologist sought personal financial gain by recruiting the hospital’s clients. Bill Powanda, vice president at Griffin and the hospital’s spokesperson for the incident, said, “that will all come out in the investigation.”
“These charges, if true, are deeply disturbing,” Blumenthal said in a statement. “Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals. Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts.”
Griffin began the investigation when patients contacted Griffin about “unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients’ interest in having those services provided at Griffin Hospital.”
Griffin said it has complied with HITECH breach notification requirements by:
- Notifying the HHS secretary
- Notifying patients who have had their PHI accessed in the breach
- Disclosing the information to the local media
- Posting information about the breach on Griffin’s Web site
Griffin officials have also notified Blumenthal’s office about the breach, changed all of the passwords for PACS users whose passwords were used without authorization, and advised all users of the need for strict password confidentiality.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix, AZ, and principal of HIPAA Boot Camp in Casa Grande, AZ, says bringing state AGs into the HITECH enforcement mix raises the possibility of discovered breaches to a “new level.”
“I certainly can see attorney generals becoming motivated first responders to discovered breaches when compared to actions that may be taken by a federal entity. Bottom line, enforcement, or at least the threat of enforcement, is moving closer and closer to home with respect to the location of the involved covered entity,” he says.
Q: An emergency department (ED) nurse at a hospital and trauma center saw the name of an acquaintance on a patient list. The nurse learned that the patient was admitted to the intensive care unit (ICU). Based on this knowledge, the nurse visited the patient and family later that day. Is this a HIPAA privacy violation? The employee used information intended for treatment purposes to learn of the admission and then visit the patient.
A: The ED nurse violated the HIPAA privacy rule. The nurse used PHI for purposes other than treatment, payment, healthcare operations, or as specifically allowed by law or authorized by the patient. Merely seeing an acquaintance’s name on a patient list doesn’t amount to a HIPAA violation. The nurse’s actions, however, violated the privacy rule.
Chris Apgar, CISSP answered this question in the April 2010 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.
No rest for this state attorney general, made (HITECH) famous for being the first to sue using newly granted powers to state AGs to pursue lawsuits involving HIPAA violations.
And here is the hospital’s statement on the breach. Looks like a case of a former employee using a password to get into a system and contact prospective clients.
How do you identify a patient if you are using an e-mail to communicate? This is a long term nursing facility (Veteran’s Care Center).
Would it be reasonable to use the resident’s medical number that they are assigned?
Lawton/Ft Sill Veterans Center
I’d love to hear from a privacy and security officer about how you go about de-identifying your patient information. What’s the process at your facility? How do you train staff?
Any comments would be appreciated. And you can certainly e-mail me personally as well.
HIPAA Update editor