Learn how your independent emergency physician group can prevent the most common VIP leaks from happening on your watch.
How does your emergency department handle sensitive cases with high-profile information?
Though your emergency physicians should always follow HIPAA protocols, EDs located in wealthy zip codes with VIPs or near celebrity hotspots and CEO vacation havens need to pay extra attention to their security processes.
It doesn’t take much for a normally responsible employee to make a mistake and cost your group big time
High-Profile Patient Information May Be Harder for Staff to Resist
ED staff who have nothing to do with the treatment of a high-profile patient should not have access to their medical records.
And even though there’s a digital trace of all users who access electronic medical files, employees still continue to jeopardize their jobs and their ED groups by peeking at VIP charts they’re not authorized to read.
Just recently, dozens of employees were accused of improperly viewing the medical records of Jussie Smollett when he was treated at the Northwestern Memorial Hospital ER at the beginning of 2019[*].
Cases like this happen all over the country. Some employees can’t resist a glimpse into a celebrity’s most private life; others seek out Protected Health Information (PHI) and hope to sell it for a huge payout.
Could something like this happen at your ED?
The Most Common HIPAA Violations for VIP Patients
Each individual HIPAA rights violation could cost your ED a hefty fine upwards of $50,000 — and that won’t be covered by malpractice insurance. Serious violations could also result in jail time.
Beware the most common HIPAA violations, including:
- Giving out PHI over the phone without a patient’s consent. This could easily leak to a source to make the intel public.
- Leaving out a patient log book for someone to see. Everyone from staff to other patients could read the information and broadcast it. PS: Each patient sticker counts as an individual violation.
- Losing a patient log book or having it stolen.
- Posting about a case online – Your staff may be posting comments about their high-profile cases on social media without your ED realizing they could be potentially releasing identifying information.
- Sending PHI via email, which makes you vulnerable to hackers, especially once they know a celebrity is in your midst. Any patient info you email must be encrypted or password protected.
But the biggest HIPAA leak may happen when you discuss medical information with patients while there’s a visitor in the room.
You can’t always assume the people VIPs bring with them are allowed to hear the sensitive medical discussions or evaluations you’re going to share. Especially in an emergency situation.
The acquaintance with your patient could be an ex-spouse, neighbor, employee, or a good samaritan they hardly know.
While it may seem benign to discuss a diagnosis for a broken arm in front of this person, saying you cannot give the patient narcotics because their medical history shows prior substance abuse may not be PHI the patient consented to release to them.
Patients can also ask questions, which may trigger your need to discuss sensitive PHI when you answer (such as a history of prescriptions, STDs, pregnancies, HIV, or other conditions).
So how should your ED handle high-profile cases correctly?
How to Protect Sensitive, High-Profile Cases
Employees frequently deal with celebrity clientele at Cedars-Sinai Medical Center in Los Angeles.
Like most emergency departments, their electronic medical records have a “break the glass” security measure, which means employees need to enter their password and a reason for accessing the records of high-profile patients.
They’ve also worked extensively on a warning system with automatic alerts based on pattern recognition software similar to what credit card companies use to flag suspicious activity.
So make sure your software is up to date with security protocols along this line.
You may also want to:
Try overlapping emergency shifts. This will reduce patient-handoff and the need to spread PHI around to more employees, among other benefits.
Speak in hushed tones to keep others in a crowded emergency department from hearing your private conversations. This step to reasonably safeguard your discussions puts the shift on incidental disclosure versus intentional disclosure if there is a leak.
Ask for consent to discuss sensitive information in front of visitors, including staff members, spouses, and friends. Make sure they know what kind of information could be disclosed in front of them and whether they’d like visitors to step outside while you chat alone.
This rule has exceptions for legal guardians of minors or incapacitated patients.
According to researchers in one study, improving emergency department patient privacy and satisfaction in a crowded ED setting was successful when[*]:
- The ED environment was redesigned for privacy, with separate rooms and movable screens. This allowed patients a quiet area to speak candidly with their physicians alone.
- Process management improved. Employees were no longer leaving charts and notes with patient information in public areas.
- Access control was tighter and a card reader system only allowing ED staff and authorized persons to access the ED was installed.
- Staff education and training became a priority. Workshops regarding clinical ethical issues like privacy and confidentiality, the disclosure of medical information, professionalism, etc. were offered to new and current staff.
Start implementing one or a few of these tips and your ED will be better prepared to protect sensitive information in high-profile patient cases the right way.
Want to increase your practice revenue? Request a complimentary practice analysis from DuvaSawko here now!