Because the Honor System Doesn’t Work
The honor system doesn’t work
Electronic record systems contain a vast trove of interesting information – which can be a great temptation for a curious employee when they know that their relative, friend or neighbor was in the clinic. It has been 15 years since the HIPAA regulations were enacted so most organizations instruct their employees that the electronic record information is exclusively for treatment, payment and health care operations. Yet the honor system clearly doesn’t work. This is demonstrated by research conducted by leading vendor FairWarning which shows that employee HIPAA Privacy violations occur at the rate of approximately 1 employee violation for every 200 admissions or encounters.
These research which generated these statistics is based on health organizations selected from their client base of 1000+ organizations which are generally medium to large hospital systems, although some multiple location physician practices are included. Consider the fact that a large hospital system with a dominant market share and an extensive multi-specialty physician practice including primary care would have comprehensive records for a high percentage of all persons living in the community. Intuition would suggest that this vast trove of information is a tempting opportunity for some curious employees. Consequently, these statistics do not necessarily translate to all environments. Intuition would suggest that smaller health organizations with smaller and narrower databases would have less appeal to the curious and consequently the rate of violation would be lower. Nonetheless, this research from FairWarning is instructive to organizations of all types regarding the everyday, high probability risk of employee HIPAA violations. Simply put, employees are curious and browse through the records of family, friends, neighbors and acquaintances.
HIPAA requires that health care entities only use software that includes audit controls. Audit controls are functionality that record all activity: which user, did what, and when they did it. Robust audit controls permit an after-the-fact investigation to demonstrate whether an employee violated HIPAA regulations. HIPAA further requires that organizations utilize these audit controls with an internal audit program. The specific language of the HIPAA regulations which regarding this requirement states that organizations must perform an “Information Systems Activity Review”.
Why is this important? Because the honor system clearly doesn’t work. Or, in the words of late President Reagan, “Trust . . . but verify.” Employees are trusted by granting them access to a wide range of information in the electronic record system. This is usually necessary for operational efficiency. HIPAA then mandates that the organization verify via internal audit that this privilege was not abused. When it is abused, HIPAA further requires that employers sanction their employees.
While many larger healthcare organizations have effective internal audit programs, the vast majority of smaller organizations simply are ignoring this requirement. But how does an organization implement an internal audit program? Stay tuned for our next post where we will explore options, strategies and best practices for an effective internal audit program.
