Q&A with Beau Patterson
HIPAA makes employers pay costs
for curiosity of its employees
Q: Cedars-Sinai Medical Center in Los Angeles made news earlier this month when it terminated several employees in response to a privacy breach involving the medical information of celebrity Kim Kardashian. The breach occurred when six hospital employees, who were not involved in Ms. Kardashian's care, accessed her medical file seeking information about her recent pregnancy and delivery. The information was not shared outside of the hospital, and the employees appeared to be motivated only by a desire for information about their favorite television personality. Did the hospital do the right thing?
A: Yes. The Health Insurance Portability and Accountability Act (HIPAA) imposes obligations on health care providers and related covered entities to protect and secure a person's health information. This not only means preventing outside disclosures of protected health information, but also limiting access within the organization to persons who need to know for treatment, payment or health care operation purposes. HIPAA requires a swift and thorough response when a breach is discovered, which can include imposing disciplinary penalties up to termination for employees who violate the law, and undertaking expensive training and corrective measures to guard against future problems. The federal government can impose significant fines when a covered entity fails to safeguard protected health information or to respond appropriately to a breach. Criminal penalties are a possibility. In 2011, the UCLA Health System paid nearly $1 million to federal regulators to settle claims of HIPAA privacy breaches engaged in by certain members of its administrative and medical staff. In one case, a physician in the system received a four-month prison sentence for impermissibly accessing the medical records of former Gov. Arnold Schwarzenegger.
Q: Do HIPAA's obligations apply to non-health care providers?
A: Yes. Beginning Sept. 23, federal rules will go into effect imposing many of HIPAA's privacy and security obligations (as well as corresponding penalties) on third-party businesses that perform services for — and receive protected health information from — covered entities (“business associates”). For example, a law firm representing a nursing home in litigation is a business associate if it receives protected health information during the course of its representation. Likewise, a business consulting firm that receives and analyzes protected health information as part of its effort to assist a health care provider in improving operational efficiency would be a business associate. Businesses shouldn't assume that, because they are seemingly not involved in the health care industry, they are necessarily outside of the reach of HIPAA.