What should not be included in the patient chart?

Physicians swear upon one of the most ancient binding documents at the beginning of their careers known as the Hippocratic Oath. It dates all the way back to Hippocrates, an ancient Greek physician.

In a nutshell, this scripture requests that doctors…

• Treat the ill

• Protect patient privacy

• Teach medicine to future generations

Nurses also have to take an oath in the early stages of their careers as well, the Nightingale Pledge. Although it doesn’t go as far back as ancient Greece, it’s still over 100 years old.

Upon graduation, nurses pledge to…

• Practice their profession faithfully

• Abstain from deleterious and mischievous actions

• Not administer anything harmful on patients

• Maintain and elevate their profession

• Hold all personal matters in confidence

Of course, since both of these professions deal within the same industry, it makes sense that they both require existential, lifetime contracts. Both types of professionals administer some of the most personal experiences known to man. Thus, it also makes sense that both vows contain similar ideals within them.

What’s most interesting, though, is that both of them require that the professionals maintain the privacy of their patients. It wouldn’t be until 1994 until the US government passed the Health Insurance Portability and Accountability act, yet both Hippocrates and Florence Nightingale knew the importance of protecting patient privacy. 

Since there are three instances within the healthcare space that not only allude to but also require the protection of health information, nothing wrong ever happens and the medical space lives happily ever after.

I’m being facetious, the reality is that we live in a world where the protections put in place to safeguard sensitive medical information sometimes aren’t enough. Breaching this information happens often, yet, out of all of the different ways, accessing information by unauthorized individuals is one of the most common.

But, what exactly are the consequences of accessing a patient chart without a valid reason?

Let’s say you’re a general practitioner that just got done with an appointment for someone named Richard Smith at a large healthcare facility. After escorting the patient out of the exam room, you walk back to your office, log in to your computer, open up your organization’s electronic health record (EHR) system and add the notes. Once complete, you save your notes and move on to your other daily tasks.

A few days go by and you receive an email from your IT Department. Your heart sinks the moment you see the headline, “Notification of Unauthorized Access”. It turns out that the patient chart you entered your notes for after Richard Smith’s appointment was for a patient from an entirely different department, yet they had the same name.

That’s a tiny detail you missed that had a massive impact on the medical record of someone else. If it went unnoticed, who knew what would’ve happened.

The events you committed in this instance is a HIPAA violation for accessing the wrong patient chart altogether. Yet, you most likely won’t face massive consequences for your actions.

That’s because the fault more so falls on the organization you’re working for. The IT department that emailed you about your unauthorized access should’ve had restrictions in place that didn’t allow you access to the other Richard Smith’s file at all.

They figured out that you accessed the wrong file because of their ability to look at user history, which is a good safeguard to have in place. However, the organization could still run into legal trouble if unauthorized users have access to information that they shouldn’t.

In September of 2020, the Office of Civil Rights imposed a $6.85 million fine on Premera Blue Cross for risk management failures. In their case, a threat group gained access to their EHR and remained unnoticed for 9 months.

Sure, this scenario is a little different from mine, yet the overarching concept remains. You may not face a huge consequence for accessing patient information accidentally, but it could lead to massive fines for the organization as a whole.

As I’m sure you know, compliance departments love training.

If their training programs aren’t any good then it’s likely that the organization you’re working for might have constant problems with staying HIPAA compliant. Nevertheless, I digress, that’s a topic for a separate blog post.

One of the most standard operating procedures that go into effect the moment your compliance department gets word that you committed a breach is your retraining program.

No matter how small the breach you committed is, you’re going to have to have a talk with the department in charge of ensuring the understanding of government regulations. From that discussion, they’ll determine whether or not you should sit through the entire session or if you only need a refresher on certain pieces.

Advertisers and marketers across the nation adhere to what’s known as the “Rule of 7”. In essence, brands need to state their message to their clients at least 7 times before they take any action. It’s part of the reason why some commercials repeat themselves over and over.

In other words, it takes that long before a customer understands what’s offered and that they need to buy it.

I’d wager that the compliance team at your organization hopes that it takes less than 7 times to train each individual before they understand HIPAA. Nevertheless, this advertising rule may apply to learning, meaning one of your consequences may end up being a day’s worth of retraining sessions.

If your organization has engaging content, though, that’s more like a fun learning opportunity than a consequence.

Accessing a patient chart you shouldn’t is one thing, what you do while you’re in that file is what ultimately determines the severity of your consequences.

Say a celebrity checks into the hospital you’re working for and it happens to be in another department. You’re not overly curious because you have a healthy relationship with the understanding that celebrities are just people, regardless of their status. That’s a healthy mindset, especially within the healthcare field.

It’s not a HIPAA violation to know among the employees there that someone of a certain status is at the hospital. However, your co-worker, who doesn’t have as healthy boundaries as you do, can’t control their curiosity.

After all, you work at a smaller, rural hospital so having a celebrity check-in to it hasn’t ever happened.

Well, similarly to what happened in the first scenario I gave you at the beginning of this blog post, the IT department finds out that your co-worker took a peek in the celebrity’s medical file. Instead of getting off with a warning, the hospital administration fires the curious employee on the spot.

They did this because of the sensitivity involved with the situation. However, there’s also some additional, outside pressure involved as well. If it got out that the employee snooped the medical file of a “high-profile” patient, that could lead to bad PR.

This entire scenario has happened before to an unlucky few celebrities. That happened to Jussie Smollett in 2019, after he checked into the hospital for an alleged hate crime attack. In that case, though, 50 employees peeked into his patient chart without a reason or proper authorization. The hospital fired every worker who viewed his file on the spot.

The worst possible consequence you could face for accessing a patient chart without a reason is that you face a jail sentence.

That seems harsh, right? Why would you have to go to jail for committing something that a couple of sections ago I mentioned might not be that big of a violation? Well, like any big crime, what matters most in determining whether or not you should go to jail is your motive.

If you worked within the wrong patient chart by mistake, you most likely won’t need a massive penalty. If you went into a patient chart of someone whom you didn’t have authorization to view out of curiosity, you’ll end up getting fired.

So, what’s the next step that pushes you into the realm of incarceration?

Let’s rewind the scenario from the previous section and change a couple of the details. Instead of a celebrity checking-in at the hospital you work at, let’s say it’s your co-worker’s ex. This changes the dynamic a little bit.

In order to get revenge for past transgressions, the co-worker takes a peek into their ex’s chart. The worker finds out that their former significant other has a lifelong disease that they never mentioned.

Out of a mixture of rage and revenge, the co-worker goes on Facebook and writes a post that exposes the private information of their ex for everyone to see. Once the patient checks out of the hospital you work in, they quickly find out what happened. As a result, they press charges on the co-worker who committed the act.

Due to the vengeful nature of what your co-worker did, it shouldn’t be a shock to them when they receive a long sentencing to the county jail.

Of course, I laid this scenario out as a rhetorical. Yet, there is evidence out there of similar, real-world situations like it that exist.

One specific example happened in March of 2019. A disgruntled healthcare professional found out that the girlfriend of her ex checked into the hospital that she worked at. The worker then accessed the patient’s PHI and posted them on Twitter.

So, after all of this, can we answer the question, “What are the consequences of accessing a patient chart without a reason?” If you read the whole blog post, you know the answer isn’t yes or no.

Every HIPAA breach scenario that happens in the real world is unique. But, each of the scenarios I gave you throughout this post are real, they’ve happened before. Based on the details given throughout each, we can make an educated guess about the upcoming consequences.

No healthcare professional should access a patient chart without a reason. That goes against both their oath upon graduation and the rules laid out within HIPAA. Yet, mistakes do still happen. Similarly, so does curiosity and spite.

The best way to determine the consequences ahead is by evaluating what happened and asking yourself the following question; was there a motive behind what I did or was it an accident?

Your answer to that question will make it easier for you to determine what to expect.