Despite efforts, policy rules on medical records violated

IOWA CITY - University of Iowa Hospitals and Clinics has disciplined 78 employees for privacy law violations in the past five years, with 50 investigations resulting in discipline during that time.

At 13 employees disciplined so far this calendar year, 2011 already outpaces three of the last five years for the number of employees punished.

Officials said the numbers fluctuate year-to-year and no trends stand out, but they said it does seem staff and patients are more vigilant about reporting concerns after an incident that receives a lot of publicity.

One such high-profile case happened in January, when five hospital employees were disciplined for improperly accessing the medical records of UI football players.

Officials at UI Hospitals and Clinics and with other hospitals in the Corridor say monitoring privacy violations is an important part of maintaining patient trust. The federal government also requires hospitals to track and report violations.

“Patients come to us at the most vulnerable times in their lives and they share intimate details of their lives with their care providers,” said Debbie Thoman, UI privacy officer and assistant vice president for compliance and accreditation for UI Health Care. “We want them to feel comfortable doing that because that's how we can provide the best patient care.”

Violations of HIPAA - the Health Insurance Portability and Accountability Act - most often result in suspension or written reprimands for staff at UI Hospitals and Clinics, according to the numbers from Jan. 1, 2006, to May 18, 2011. But a serious infraction can get an employee fired.

Of the 13 UI Hospitals and Clinics employees who have been disciplined so far in 2011 for HIPAA violations, eight of them were fired. In 2010, seven employees were fired out of the eight disciplined.

The level of discipline depends on the severity of the incident, Thoman said, and UI officials work to be consistent so that no matter the position of the staff member, the punishment is the same for similar infractions.

Some of the most common violations, both locally and nationally, include improper access to records and impermissible uses and disclosures, officials said.

Disclosure rules

UI Hospitals and Clinics released the HIPAA violation information to The Gazette because it is a public hospital.

Officials with several private hospitals in the area declined to release their data and said hospitals do not have to publicly disclose HIPAA violations unless the incident involves the breach of information of more than 500 patients. The state of Iowa has one such violation listed on a federal website, an incident from July 2010 at Pediatric and Adult Allergy of Des Moines, when the loss of a portable electronic device affected the records of 19,222 patients.

Information on all HIPAA breaches is collected annually by the Office of Civil Rights in the U.S. Department of Health and Human Services.

Infractions affecting less than 500 patients are not made public, though some information can be obtained through a Freedom of Information request once the Office of Civil Rights investigation of an incident is closed, Rachel Seeger, Office of Civil Rights spokeswoman, said.

The Gazette on April 21 submitted a Freedom of Information request to the department, seeking total numbers of HIPAA violations for several private hospitals in Eastern Iowa for the past five years. Officials said it's unknown how long it will take for the request to be filled, as processing time depends on the complexity of the request and whether sensitive records, voluminous records, extensive searches or consultation with other agencies are involved.

Nationally, HIPAA complaints totaled 8,524 in 2010, compared to 7,340 in 2006, according to the department.

“I think people have become more aware of HIPAA,” Seeger said.

Technology helps

Tracking violations is largely complaint-driven, but technology is playing a larger role in identifying them, officials said.

At St. Luke's Hospital in Cedar Rapids, an automatic computer audit checks HIPAA compliance, hospital spokeswoman Sarah Corizzo said. Questions also can be raised by patients and employees and are sometimes self-reported, she said. The hospital also has a privacy officer and offers a 24-hour HIPAA anonymous hotline.

Mercy Medical Center in Cedar Rapids also has procedures in place to take corrective action and disciplinary measures as appropriate for all reported breaches, spokeswoman Karen Vander Sanden said.

Hospitals train employees on HIPAA rules when they are hired and also have annual refresher training. Employees know that breaches will result in disciplinary action and possible legal ramifications, officials said.