The recent HHS settlement in the case of 71 cardboard boxes of medical records being left on a physicians driveway is your 800,000 reasons, and they are all in cold, hard cash. Here is the key detail about what happened direct from the resolution agreement:
On June 4, 2009, Parkview failed to appropriately and reasonably safeguard the PHI, when Parkview employees, with notice that Dr. Hamilton had refused delivery and was not at home, delivered and left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of Dr. Hamilton’s home, within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue.
The $800,000 settlement came with a corrective action plan that includes additional training to all 8,700 employees. It clearly states that the employees made a decision to leave 71 boxes of records on a driveway. Whether or not the employees had been properly trained and elected to do this anyway isn’t clear. So, do you think those employees just didn’t care or they weren’t trained to care about what information was in those boxes?
When we are discussing training requirements with many offices, both CE and BA, they question the need to train all workforce members. I could easily see a discussion about whether or not those employees needed HIPAA training. They never touch PHI to do their jobs, they move things between the health system’s facilities maybe. It would be argued that there is no need to spend the time nor the money to train these people to worry about the importance of protecting PHI. They just don’t end up in that situation where it will matter.
I tell them the same thing today that I have for the last few years. Now, I just have something specific to point to with this resolution. If you can’t be certain who may be in the position to make a decision like these employees did, isn’t it better to have a fighting chance they have a clue about HIPAA?
It is summer time and many small offices have teenagers around the office. Yes, some are there to work and others more so someone keeps an eye on them, but either way they need to know how serious they should be about protecting the PHI in your office right now. What if they were the ones someone decided to send on an errand like this one?
If someone cleaning out the trash finds medical records tossed where they shouldn’t be, wouldn’t you prefer they know to tell you about it or even just toss it in the shredder box instead? They may be your last line of defense.
Take it further and consider what would have happened if a BA was involved in this delivery debacle. Do you think a BA would worry about making sure those people were trained properly to understand what they were delivering and how it should be handled? Many sites are still uncertain if their BAs even know what they are supposed to be doing for HIPAA, much less actually training every single member of their workforce.
HIPAA Training should be done for every single member of your workforce. Make note the the term workforce is used. HIPAA defines the workforce as every person under direct control of the CE or BA whether or not they are even paid. If you tell them in any way what they should work on, when, and where they should work, then they should be trained.
HIPAA Training can no longer be the 45 minute lunch everyone sits through in January while someone from the malpractice insurance company comes by to talk about HIPAA. There needs to be more to it than that, or you may find your records floating down a street one day because it was just a box of papers being delivered.
Filed under: HIPAA Tagged: Breach Case, Enforcement, Four Factor Assessment, HIPAA