In May, The University of Rochester Medical Center experience a data violation after a member of staff took the Protected Health Information (PHI) of patients to a new employer,
The employee in question, who was trying to ensure continuity of patient care, was a nurse practitioner in the Department of Neurology. She was concerned about patient continuity of care after she left her employment. She was supplied with a printed list of patient’s information by the medical center for the purposes of adding notes and information that would ensure that patients did not experience any fall in care standards as a result of her departure from the role. The list of patients was not collected prior to the employee leaving her employment, and the data was subsequently disclosed to her new employer (full story here).
With the benefit of hindsight, it was perhaps ill advisable to have provided printed PHI to a member of staff about to take employment with another local healthcare provider. However, all that can be done now is notify the patients concerned and make changes to policies and procedures to ensure a similar incident cannot happen again, or as far as it is practical and possible to do so.
Many healthcare suppliers suffering a data breach inform patients that they are putting in place new security measures to improve privacy protections, but do not go into much detail on what those measures are made up of The University of Rochester Medical Center has decided to focus on transparency, and made the decision to reveal the changes it has made to address the risk of PHI exposure.
After any improper disclosure of information by a present or former member of staff, further training should be provided on privacy rules. URMC is beginning a program of re-enlightenment, and will be instructing physicians, nurses and other suppliers of healthcare services of their obligations under HIPAA, and under the new hospital policies that are being formulated.
David Kirshner, senior vice president and chief financial officer for URMC, recently said referring to the new policies, “There are do’s and don’ts, and those are being very clearly spelled out in the policy guidelines that we’re drafting.”
The medical center formed a privacy and security committee two years ago which has been addressing data security privacy weaknesses. The medical center has made attempts to maintain compliance with HIPAA rules and prevent data breaches, although the recent breach showed inadequacies in policies.
The committee has discussed the incident and assessed security and privacy measures and procedures in an effort to prevent similar data violations from occurring in the future. The committee accepted that the nurse practitioner, Martha Smith Lightfoot, should not have taken personal information and given it to her new employer, but also that the nurse should never have been supplied with the list in the first place.
One of the policy changes being implemented is a new restriction on official communications with patients. Rather than allow information relating to continuity of care and care services to be given to patients by physicians and nurses; those communications will now be handled at a departmental level.