People responsible for information privacy and security know that one of the most formidable risk factors, that cannot be fully mitigated no matter what you do, is the human factor. We fallible humans, in spite of all warnings to the contrary, fall for phishing schemes, click on harmless-sounding links that actually connect to malicious sites, and otherwise endanger data security. Probably hundreds of hospital employees have been fired for browsing through electronic health records looking for celebrity tidbits, and yet people still do it.
I’m writing this on Valentine’s Day, so it is with sorrow that I mention that the human factor can cause the most havoc when the human involved is a disaffected spouse or jilted lover. In a recent case with a background more typical of one of the Housewives episodes than case files of the Office for Civil Rights, an estranged husband of a manager at a DME company blew the whistle on sloppy record keeping procedures at the firm. When his wife left him, she left behind patient records along with other detritus of the failed marriage. Recognizing the problems inherent with a person having no connection to patient treatment possessing this information, the public-spirited ex-spouse complained to the OCR. On investigation, OCR agreed that the DME company had not maintained reasonable safeguards for the protected health information in its custody. This conclusion was based in part on statements made by the ex-wife (who by then was also an ex-employee).
OCR sought a penalty of $239,800, and the company appealed. The Administrative Law Judge upheld the penalty, finding that the company failed to maintain written policies on protection of patient information, and a member of its workforce disclosed PHI to an unauthorized person.
While the DME company might not have prevented the marital break-up, they certainly would have been in a better position to deal with the fallout if they had written policies detailing how employees should secure PHI. In particular, this company had no policies to monitor documents removed from the office and ensure their safe return, which “meant that PHI could be missing for indefinite periods without the company’s knowledge.”