This article appears in the January 2012 issue of HealthLeaders magazine.
You pick up the phone and someone tells you that a laptop containing thousands of patient files was left behind on the morning train. Or you learn that your own employees have been snooping into sensitive patient records for fun and profit. Or you discover that, for some odd reason, patient records have been posted on a completely unrelated public website for anyone to see, and they've been there for nearly a year.
Each of these scenarios has played out for some unfortunate healthcare executive, and they hold lessons in how to avoid such disasters, plus the best way to respond to such a crisis. Some of the most notorious HIPAA violations occurred within the UCLA Health System at the UCLA Medical Center, where singer Britney Spears was hospitalized in early 2008. After the Los Angeles Times reported that employees had been caught perusing Spears' records with no legitimate reason, the hospital confirmed the HIPAA violations, fired 13 employees, and took disciplinary action against others. It also suspended six physicians.
David Feinberg, MD, MBA, who became CEO for UCLAHS in 2007, says that the experience was a wake-up call for the health system, and that conditions have changed dramatically since then.
"It definitely was a crisis that we turned into a great opportunity," says Feinberg. "We had a very, very lax culture around privacy, and because we happened to treat an A-list of celebrities, it got national attention. But the reality was we were sloppy not only with celebrities, but also with a nurse looking at another nurse's records to see if she was really sick yesterday. That was our culture."
When the Spears case and other alleged violations came to light, the health system disclosed in April 2008 that it had discovered that several employees had snooped into the patient records of dozens of celebrities, including Spears, Tom Cruise, and Maria Shriver.