Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Will Hospitals Be At Risk for HIPAA Audits If They Don’t Have HIPAA Violations?

Posted on February 5, 2015 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Sutter Health’s California Pacific Medical Center (CPMC) recently announced an employee accessing patient files without a business or treatment purpose. Here are the details from their press release:

California Pacific Medical Center (CPMC) recently notified 844 patients of its discovery that a pharmacist employee may have accessed their records without a business or treatment purpose.

CPMC first learned of the incident through a proactive audit of its electronic medical record system on October 10, 2014. The initial audit resulted in identification and notification of 14 individuals on October 21, 2014. Following its policy, CPMC terminated its relationship with the employee and broadened the investigation

The expanded investigation identified a total of 844 patients whose records the employee may have accessed without an apparent business or treatment purpose. It is unclear whether all of these records were accessed inappropriately but, out of an abundance of caution, CPMC notified all of these patients.

This was a fascinating breach of HIPAA. In fact, it starts with the question of whether we should call this a breach. In the HIPAA sense, it’s a breach of HIPAA. In the IT systems security sense, I could see how people wouldn’t consider it a breach since the person didn’t visit anything he wasn’t authorized by the IT system to see. Semantics aside, this is a HIPAA issue and is likely happening in pretty much every organization in the US.

My last statement is particularly true in larger organizations. The shear number of staff means that it’s very likely that some users of your IT systems are looking at patient records that don’t have a specific “business or treatment purpose.” I’m sure some will use this as a call for a return to paper. As if this stuff didn’t happen in the paper world as well. It happened in the paper world, but we just had no way to track it. With technology we can now track every record everyone touches. That’s why we’re seeing more issues like the one reported above. In the paper world we’d have just been ignorant to it.

With this in mind, I start to wonder if we won’t see some HIPAA audits for organizations that haven’t reported any violations like the ones above. Basically, the auditors would assume that if you hadn’t reported anything, then you’re probably not proactively auditing this yourself and so they’re going to come in and do it for you. Plus, if you’re not doing this, then you’re likely not doing a whole slew of other HIPAA requirements. On the other hand, if your security policies and procedures are good enough to proactively catch something like this, then you’re probably above average in other areas of HIPAA privacy and security. Sounds reasonable to me. We’ll see if it plays out that way.

The other lesson we need to take from the above HIPAA breach notification is that we shouldn’t be so quick to judge an organization that proactively discovers a breach. If we’re too punitive with healthcare organizations that find and effectively address a breach like this, then organizations will stop finding and reporting these issues. We should want healthcare organizations that have a culture and privacy and security. Part of that culture is that they’re going to sometimes catch bad actors which they need to correct.

Healthcare IT software like EHRs have a great ability to track everything that’s done and they’re only going to get better at doing it. That’s a good thing and healthcare information security and privacy will benefit from it. We should encourage rather than ridicule organizations like the one mentioned above for their proactive efforts to take care of the privacy of their patients’ information. I hope we see more organizations like Sutter Health who take a proactive approach to the security and privacy of healthcare information.

Adding Insult To Injury, Sutter’s Epic EMR Crashes For A Day

Posted on August 30, 2013 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The Epic EMR at Northern California’s Sutter Health crashed earlier this week, leaving the system inaccessible for an entire day, reports Healthcare IT News. The system, which cost Sutter nearly $1 billion, went offline at approximately 8AM, locking out doctors, nurses and staff from accessing vital information such as medical lists and patient histories.

The crash followed a few days after planned downtime of eight hours which was scheduled to take place due to implement an upgrade.  During that period nurses could still read med orders and patient histories but had to record new data on paper and re-enter it later into the system, Healthcare IT News notes.

During the unplanned outage this week, the Epic system was offline at several Sutter locations, including Alta Bates Summit Medical Center, Eden Medical Center, Mills-Peninsula Hospital, Sutter Delta, Sutter Tracy, Sutter Modesto along with several affiliated clinics, the magazine said.

The outage drew the ire of the California Nurses Association, which called this incident “especially worrisome.” But the CNA notes that the crash is hardly the first time there’s been a concern over the Epic rollout. Nurses at Sutter have been complaining for months about alleged safety problems with the Epic system, notes the Sacramento Business Journal.

According to the CNA, more than 100 nurses had previously filed complaints at Alta Bates Summit, arguing that the Epic system was hard to use, and that computer-related delays had adversely affected the ability of nurses to monitor patients properly.

Sutter nurses’ complaints included the following:

• A patient who had to be transferred to the intensive care unit due to delays in care caused by the computer.
• A nurse who was not able to obtain needed blood for an emergent medical emergency.
• Insulin orders set erroneously by the software.
• Missed orders for lab tests for newborn babies and an inability for RNs to spend time teaching new mothers how to properly breast feed babies before patient discharge.
• Lab tests not done in a timely manner.
• Frequent short staffing caused by time RNs have to spend with the computers.
• Orders incorrectly entered by physicians requiring the RNs to track down the physician before tests can be done or medication ordered.
• Discrepancies between the Epic computers and the computers that dispense medications causing errors with medication labels and delays in administering medications.
• Patient information, including vital signs, missing in the computer software.
• An inability to accurately chart specific patient needs or conditions because of pre-determined responses by the computer software.
• Multiple problems with RN fatigue because of time required by the computers and an inability to take rest breaks as a result.
• Inadequate RN training and orientation.

Sutter officials, for their part, are not having any of it. Hospital spokeswomen Carolyn Kemp called the allegations that Epic was causing problems “shameful,” and argued that the accusations are arising because the hospital system is involved in a labor dispute with the CNA.

Meanwhile, Sutter execs are turning up the heat on nurses whom they feel aren’t using the EMR properly. According to Healthcare IT News, leaders have been scolding nurses whom they believe have not been entering all billable services into the EMR, which resulted in a loss of $6,000 in a single week, according to a July memo obtained by HIN.

Sutter’s spokesperson, Bill Gleeson, offered this official response:

Sutter Health undertook a long-planned, routine upgrade of its electronic health record over the weekend. There’s a certain amount of scheduled downtime associated with these upgrades, and the process was successfully completed. On Monday morning, we experienced an issue with the software that manages user access to the EHR. This caused intermittent access challenges in some locations. Our team applied a software patch Monday night to resolve the issue and restore access. Our caregivers and office staff have established and comprehensive processes that they follow when the EHR is offline. They followed these procedures. Patient records were always secure and intact. Prior to Monday’s temporary access issue, our uptime percentage was an impressive 99.4 percent with these systems that operate 24/7. We appreciate the hard work of our caregivers and support staff to follow our routine back-up processes, and we regret any inconvenience this may have caused patients. California Nurse Union continues to oppose the use of information technology in health care but we and other health care provider organizations demonstrate daily that it can be used to improve patient care, convenience and access. While it’s unfortunate the union exploited and misrepresented this situation, it comes as no surprise given the fact that we are in a protracted labor dispute with CNA.

4500 Patient Records Found During Drug Bust

Posted on June 12, 2013 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In the healthcare world, it seems that HIPAA privacy violations & HIPAA Lawsuits are the car accidents that people can’t resist checking out. In most cases, people in healthcare are mostly interested to see what happened with the HIPAA violation and what the consequences were for that violation. In fact, these violations wake people up to the HIPAA policies better than any other means, but I digress.

Since this blog is called EMR and HIPAA, I try and cover various HIPAA related issues I hear about in the news. Today’s HIPAA breach is pretty crazy. It was discovered during a drug bust by the Alameda County Sheriff’s department. During the drug related investigation they found information for 4,500 patients from three hospitals: Alta Bates Summit, Sutter Delta, and Eden Medical Center.

Sutter Health posted a notice about the breach. The notice says that the information could have included: a patient’s name, Social Security number, date of birth, gender, address, zip code, home phone number, marital status, name of employer and work phone number. Sutter has offered free credit monitoring services for those patients who are involved. Plus, they have a hotline set up for those who have questions.

This situation is a bit unique since it seems they haven’t been able to identify exactly which hospital the patients are from. If that’s the case, then releasing all of the patient data to all 3 hospitals could be a breach as well, no? I’m good with making sure you notify everyone on the list that could be affected. They should be notified, but I’d be interested to know which parts of the 4,500 patients was shared with which hospital.

I wonder if large organizations like Sutter Health are creating a permanent department for breaches.