It’s The Queen Calling: Phoning in HIPAA
It seems that everyone wants to know about Britain’s royal family. The media are obsessed with the most mundane private details from their lives because that information is marketable to the public. While the relentless pursuit of their private information is exceptional in character, in reality such infringements are an everyday occurrence at medical facilities across the world. Those who are not authorized, from family members and nosy neighbors to an insurance company, an employer, a workers’ compensation investigator, or another medical provider frequently request patient information.
Healthcare organizations must be prepared for such information requests and take the necessary steps to effectively train employees in the proper procedures. Could the medical facility in northern Colorado have predicted the onslaught of information requests that followed after a famous athlete was accused of a serious crime in 2003? Did the hospital in Ocoee, Florida have well-trained employees to identify requesters when a famous golfer was a patient in 2009? In all likelihood, they implemented crisis management techniques to deal with these unique situations—but it is the day-to-day requests for information about the average patient that can trick an employee or expose a gap in procedures.
When the HIPAA Privacy Rule was created, the original intent was to ensure the privacy of medical records in preparation for the electronic sharing of information. Preparing for a national system that will more effectively provide access to patient records to those who need them requires an established privacy framework to ensure proper reasoning and notification to the patient. Over time, the Privacy Rule has been applied to more routine requests from individuals, such as a spouse or child wanting to know about the condition of their loved one. With today’s threats of social engineering, organizations must evaluate all of the potential procedures for the variety of requests that come to the employees.
When someone contacts a healthcare organization by telephone, what are the procedures for identifying the caller? An organization must establish the methods for properly authenticating an individual and then train the employees on the acceptable procedures, preferably advancing to role-play and testing.
In the incident that led to the unauthorized release of Kate Middleton’s medical information in December 2012, the nurse who provided the information over the telephone may have assumed that the first nurse who answered the call had properly authenticated the requestor. Leadership must assign the responsibility of authenticating identities to those who have proper training to do so. Good security procedures do not allow authentication simply based on vocal requests but on independently verifiable identifiers such as a call back to a pre-authorized number or a code word. Centralizing the authentication of requests to those prepared to follow the procedures is advisable to reduce the possibility of mistakes from the general workforce.
Once the identity of a caller has been established, the decision about whether to share information is an entirely different process. A healthcare organization should establish policies about what types of information are allowed to be shared over the telephone and which employees are allowed to provide the information. Instances of providing Protected Healthcare Information over the phone should be documented. Even with an assumption of the caller’s identity, did the nurse have the authority to share information about Middleton’s condition over the telephone? Leadership should create “information silos” so that all employees know how to determine who has the responsibility to follow the allowed procedures, rather than assume that they can make that determination alone.
Human error is inevitable. Implementing administrative, technical, and physical controls prescribed by the HIPAA Security Rule is what can enable the privacy of PHI. An organization’s communication style is critical in achieving effective compliance with their policies and procedures for authenticating callers and sharing information over the telephone. The frequency and quality of communicating expected employee behavior makes a difference. Leadership that criticizes or berates employees when procedures are not followed can expect employees to hide their challenges or failures in following procedures, when in fact it is necessary to share these experiences to enhance and improve operational efficiency.
Many healthcare organizations do a poor job in defining and training on these critical procedures, yet expect employees to act as gatekeeper and custodian of sensitive patient information when faced with a pressurized request or a skilled social engineer. Leadership should use real-world examples, both good and bad, to demonstrate human behavior in action and guide and encourage employees toward a better understanding of procedures that adequately protect patient information.
Joseph Kirkpatrick (firstname.lastname@example.org) is a security specialist and president at security firm RavenEye.