(Updated on Jan. 2)
Every day, physicians across the country are flirting with privacy trouble. They're texting each other protected health information, storing it in shared notes on their iPhones, and even posting about their patients on Facebook. Often, they don't even know what they're doing could be breaking the Health Insurance Portability and Accountability Act's privacy rule.
"You would think that physicians would hear about breaches and think they don't want that to happen to them, but at the same time, they're just going as fast as they can to get their job done just like the rest of us," said Katherine Downing, vice president of information governance, informatics and standards for the American Health Information Management Association.
Clinicians don't necessarily have time to think about HIPAA, and they might not know whether or not they're adhering to the regulations. At one university-owned orthopedic practice, providers are using shared iOS notes—stored in the cloud—to pass information to each other about patients' eligibility for trials, Downing said. In theory, they could be tracking eligibility in their electronic health record, made by Epic Systems Corp. But the practice doesn't have that feature turned on in the software.
Efficiency and convenience also lead physicians to communicate via text message. Although texting doesn't necessarily break any rules, it could, said Pamela Hepp, a healthcare lawyer with Buchanan Ingersoll & Rooney. If protected health information were sent to the wrong recipient or if someone got a hold of a non-secured phone with protected health information stored in the texting app, that would be considered a violation.
"The workarounds are the real problem," Downing said. Though these providers knew what they were doing wasn't quite right, they also weren't really thinking about that, focusing instead on getting the job done, she said.
Naiveté goes beyond physicians and nurses; it extends to medical office staff too. One administrative worker in a provider's office was upset with one of his neighbors for personal reasons, so he posted about that person on Facebook. The problem? He mentioned that the neighbor was a patient of the office where he worked, thereby breaking HIPAA rules.
The provider would have been on the hook for that violation, said William Horton, a partner with Jones Walker, whose clients include that provider. "That's something the provider didn't control. There's a breach even though there's nothing the provider could have done to prevent it," he said. "That's frustrating."
Sometimes, adhering to HIPAA has the opposite effect, leading fearful providers to avoid taking allowable actions. "Because HIPAA is a fairly complicated statute and set of regulations, you will not uncommonly hear providers say, 'We can't do XYZ because HIPAA won't let us,' when in fact that's not the case," Horton said. "Sometimes I think people default to that as an excuse for not doing things they don't want to do."
But sometimes it's just plain misunderstanding. "People tend to be very risk-averse, and it's much easier to say 'HIPAA won't let us do that,' " Horton said.
Providers often think that all email is off limits, Hepp said. "If the email goes to the right person, it's not a breach," Hepp said. Still, she pointed out, many organizations put rules in place that forbid emailing protected health information.
Another area of confusion is business associate agreements. Providers are sometimes unsure when agreements are needed. One of Horton's clients thought they needed a business associate agreement with someone who was an employee. If someone is employed by the group, they are part of the covered entity.
Part of the overall problem is what providers understand the purpose of HIPAA to be. "They often think of HIPAA as how they're set up in the EHR or patients' rights in the EHR," Downing said.
Provider organizations might solve some of these issues with better training. "HIPAA requires regular training," Downing said. "Annual is not often enough." Physicians must know who their privacy officers are, she said.
But that's not possible for some, whose organizations don't have privacy officers in the first place. These organizations risk not only getting fined for HIPAA violations but also losing to cyberattacks.
"If the providers aren't being safe about technology, that's going to cost them way more than the Office for Civil Rights penalty," Downing said. "The security piece is even bigger than the HIPAA violations."
She recommended having employees read the OCR's cybersecurity newsletter to improve security without incurring a significant expense.
When organizations do have privacy officers, it's important for those people to focus on privacy and nothing else, Horton said.
"In order to do the best you can to ensure compliance, you've got to have somebody who is willing and able to dig into the requirements and remain up to speed on them."
Their job also includes vetting vendors to make sure all software is secure.
It's not enough to use generalized training for employees, Horton said. Providers should be trained according to the specific risks they face given their environments. "If you don't have policies that address that particular work setting, then you're really leaving yourself open for potential exposure," he said. "That takes time and money, but it's money well spent."