URMC Takes Action to Prevent Future Patient Privacy Violations

In May, The University of Rochester Medical Center suffered a data breach after an employee took the Protected Health Information (PHI) of patients to a new employer, all in the name of continuity of patient care.

The employee in question, a nurse practitioner in the Department of Neurology, was concerned about patient continuity of care after she left her employment. She was provided with a printed list of patient’s information by the medical center for the purposes of adding notes and information that would ensure that patients did not suffer any fall in care standards as a result of her departure. The list was not collected prior to the employee leaving her employment, and the information was subsequently disclosed to her new employer (full story here).

With the benefit of hindsight, it was perhaps ill advisable to have provided printed PHI to a member of staff about to take employment with another local healthcare provider. However, all that can be done now is notify the patients concerned and make changes to policies and procedures to ensure a similar incident cannot happen again, or as far as it is practical and possible to do so.

Many healthcare providers suffering a data breach inform patients that they are implementing new security measures to improve privacy protections, but do not go into much detail on what those measures entail. The University of Rochester Medical Center has opted for transparency, and made the decision to announce the changes it has made to address the risk of PHI exposure.


Improving Policies, Procedures and Protections for Patients


urmcAfter any improper disclosure by a present or former member of staff, further training should be provided on privacy rules. URMC is embarking on such a program of re-enlightenment, and will be instructing physicians, nurses and other providers of healthcare services of their obligations under HIPAA, and under the new hospital policies that are being developed.

David Kirshner, senior vice president and chief financial officer for URMC, recently said of the new policies, “There are do’s and don’ts, and those are being very clearly spelled out in the policy guidelines that we’re drafting.”

The medical center formed a privacy and security committee two years ago which has been addressing data security issues and privacy matters. The medical center has made efforts to maintain compliance with HIPAA rules and prevent data breaches, although the recent breach demonstrated inadequacies in policies.

The committee has discussed the incident and assessed security and privacy policies and procedures in an effort to prevent similar data breaches from occurring in the future. The committee accepted that the nurse practitioner, Martha Smith Lightfoot, should not have taken information and disclosed it to her new employer, but also that the nurse should never have been provided with the list in the first place.


Communication with Patients to be Restricted


One of the policy changes being introduced is a new restriction on official communications with patients. Rather than permit information relating to continuity of care and care services to be communicated to patients by physicians and nurses; those communications will now be taken care of at a departmental level.

According to Spencer Studwell, Co-chairman of the URMC Privacy and Security Executive Committee, “We recognize there may be conversations that occur between individual physicians and their patients,” He pointed out “It wouldn’t be realistic to try to prevent those from happening. But the formal communication should be happening at the institutional level.”

Kirshner confirmed that while there were a number of people in the department who could have ensured continuity of care did not suffer, the policies were not in place to assign that responsibility to anyone. The new policies will address the issue, and with greater control of PHI, it is hoped that future breaches can be prevented.

The new privacy and security policies are now in the process of being finalized and are expected to be issued to staff by the end of next month.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.