In the early hours of June 12, 2016 news broke of a horrific attack, and mass killing of patrons inside an Orlando night club. All told, there were a total of 49 people who were killed, and another 56 who were injured, but would survive. The victims were taken to two separate hospitals in the Orlando area for care: Orlando Regional Hospital and Florida Hospital.
In March of 2015, the body of Noah Thomas was found inside a septic tank near his family home. His mother, Ashley, was later charged with abuse and neglect that led to the young boy’s death. Ashley was a patient at a Virginia Carilion Healthcare Clinic.
Both cases are very sad and unthinkable stories of the darker side of humanity. Both cases were made worse by healthcare workers who were curious, and snooped in the records of the victims in the first case, and the guilty in the second case.
The HIPAA rules are very clear on the permissible uses and disclosures of protected health information (PHI). It is important for every member of the healthcare community to remember that while we may have broader access to the records of patients seen within a facility, that individual access is still governed by the concept of minimum necessary. In other words, I have been given the least privileged access necessary to complete my job for my employer, but I use that access judiciously. I access just those records that I currently have a treatment, payment or healthcare operation (TPO) reason to access.
Access and sanctions for wrongful access are governed by individual entities. Each practice must decide first – who needs what access. Then, the entity must put in place safeguards to assure that access is used appropriately, and finally, create sanctions for those times when an employee for whatever reason misuses their access privileges. It is the employer’s responsibility to train on appropriate and inappropriate use and access to patient information. It is the employee’s responsibility to know how and when to access patient information appropriately, and to ask when unsure.
Following the discovery of their employees snooping into the records of the victims of the Orlando Nightclub shooting, the hospitals announced they would be providing all care to the 56 survivors at no charge. Additionally, the cost of notifying each of the victims, and of notifying Health and Human Services, the risk of an investigation by the Office of Civil Rights, the cost of reputational harm, and potential law suits must all be taken into account. Additionally, each employee involved in the snooping case will face penalties from their employer, that could include termination. In the Carilion case, several employees were terminated. The concern of an investigation by the Office of Civil Rights looms overhead, and finally the cost of reputational harm can often not be undone.
In every sector of healthcare, we deal with sad, horrific and unthinkable cases of harm and inhumanity. However, it remains the role of the healthcare worker to provide excellent care at the time of emergency and afterwards. Once the immediate risk is removed, our responsibility to our patients is no less important. We take an oath to do no harm. We should remember that oath not just while treating our patients, but in the aftermath, and any time we are accessing patient information.