A hospital OR secretary was fired after she accessed the hospital's EHR to locate a co-worker's phone number.
A child's adoptive parents sued a hospital for allegedly violating HIPAA when it notified the child's birth mother of his death.
Hospital employees clicked on links in emails that appeared to be from trusted sources, unleashing a spear phishing attack. Hackers accessed PHI for 63,000 individuals - some of whom are suing the hospital for failing to protect their privacy.
A patient is suing CVS for telling his wife about his Viagra prescription.
Some of you might read these (true) stories and view them as blatant, or at least ignorant, HIPAA violations. Or maybe you believe these are honest mistakes. I think it depends on whether, when, and how the healthcare employees involved were trained on HIPAA in a practical way.
In the CVS example, we can imagine a pharmacist or pharmacy tech at the register and taking phone calls. This person talks to people all day long about prescriptions - often prescriptions dropped off or picked up by a spouse. When is the last time this pharmacist was trained on when to share information with a spouse (and when to keep it confidential)?
Regarding the spear phishing example, I received two phishing email attempts today, and it's only 2:00 p.m. I recognized the emails as phony - but my day job involves HIPAA, and I read about HIPAA for fun. It's always on my mind. Would healthcare employees who spend their days scheduling patients, sending out EOBs, or providing care recognize suspicious emails? It depends on how well they have been trained, and how often.
HIPAA, like the rest of compliance, is not simply something for the lawyers or the compliance department to figure out.
Our compliance programs are only as strong as our weakest employees - and it's up to us to train them to get it right.