During a traffic stop and arrest August, the Tampa Police found patient documents regarding patients of Tampa General Hospital in the car. According to the hospital’s statement regarding the incident, a subsequent internal investigation by the hospital revealed that the documents included information about 675 patients including names, dates of birth, admitting diagnoses, names of insurance payers and in some instances, social security numbers.The hospital investigation identified an employee (not the individual arrested) who was the apparent source of the documents who was subsequently terminated.
Tampa General Hospital has notified affected patients and stated that they plan to “implement technology that blocks patient information based on an employee’s job description, including limiting access to patients’ social security numbers” as a result of this specific incident.
Based on these details, we can speculate that the employee involved had access to information that was not necessary for their job duties. HIPAA’s “minimum necessary” rule requires that healthcare organizations identify, for each employee or class of employees, the minimum necessary information needed to perform their job duties.
After identifying these information needs, implementation of this rule requires installing safeguards that limit workforce access to PHI to that which is required to carry out their job duties. HIPAA also requires that any software used include access control functionality, and most medical software, including electronic record software, revenue cycle management systems, and other systems used by hospitals, includes very granular role-based access control capabilities.
The HIPAA Privacy rule includes the above minimum necessary provision, and for electronic systems, the HIPAA Security rule requires that role based access controls be used to implement the minimum necessary protections.
For a community hospital, a robust implementation of these controls is a significant and ongoing effort. In addition to the major systems – electronic records and revenue cycle – there are usually a myriad of other systems: lab, pharmacy, PACS, coding tools, niche electronic record systems for ED, rehab, psych, oncology and other service lines, electronic claims and other systems. A system “owner” should be assigned for each system who is responsible for implementing and keeping these role based controls up-to-date.
If the controls are set too tightly, there will be constant requests to create exceptions for a particular staff person. If they are set too loosely, then the organization has the risk of an incident such as the one at Tampa General Hospital.
During the difficult financial times that most hospitals are experiencing in 2014 it is challenging to find the necessary resources to invest in these controls. However, those who fail to invest may place their patients’ privacy at risk.
