When Personal Health Information  Becomes Too Much Information

When Personal Health Information Becomes Too Much Information

Employees’ online access to protected health information poses a privacy risk for unprepared employers.

What do your employees do at work when they’re not doing what you’re paying them to do?

Over my 30-plus years in the workforce, I’ve seen more than my share of the creative ways employees spend part of their work day. My dad used to call what they were doing “government projects.”

One person I worked with spent most of her time shopping online. Virtually every time I walked into her office, her screen was full of high-end purses, shoes or dresses. I would pretend not to notice as she fumbled to minimize her next purchase while maintaining eye contact with me so I wouldn’t look away.

Online poker, fantasy football, soap opera chat rooms, Ms. Pac-Man, cat toys. You name it and I’ve probably seen it on someone’s computer screen. That’s not to mention all the things I’ve found left on copiers. Utility bills, resumes and tax returns top the list of items I can cite in this column and maintain a sense of propriety.

But nothing I’ve seen either on a computer screen or left on a copier will compare with—or carry the financial risk of—what employers will start finding around the office sooner rather than later: That’s the protected health information, or PHI, of employees.

Two trends are sweeping the health care industry that will make PHI, defined as individually identifiable personal health information, a workplace issue that will be a land mine for employers. The first trend is the digital revolution in health care. One of the last industries to enter the digital age, health care is finally going electronic—encompassing everything from patients’ medical records to mobile applications to text messaging with doctors to remote health monitoring to telemedicine. The second is consumer information. Patients are demanding access to price and quality information as well as access to their own medical information and on-demand health care services.

There is a growing recognition in health care that patients, not the hospitals, doctors or pharmacists who treat them, own their own health data, no matter where the information resides, including in electronic health records. In February, for example, the federal government for the first time gave patients the right to receive their laboratory test results directly from the labs themselves rather than waiting to receive the lab results from physicians. (You can learn more about accessing your lab results here.) Mix that with a healthy dose of consumer savvy, and you’ve got employees looking up their own PHI at work.

In fact, 36 percent of health care organizations now give patients remote online access to their own medical records, according to a recent survey of nearly 300 health care chief information officers by the Health Information and Management Systems Society (HIMSS). That’s up from 28 percent last year and 23 percent in 2012. (Survey results are here.) Another survey, of more than 600 physicians by the Deloitte Center for Health Solutions, found that one-third now communicate with patients via email or text messages. (You can read the survey results here).

Unplanned sharing of PHI in the workplace also might not be accidental. There are snoops among us who may not maintain eye contact when they see someone’s medical record on a screen, and indulge in learning about tests ordered or medications prescribed. Another survey conducted by HIMSS of nearly 300 health care chief information officers found that the greatest motivator to take measures to protect the privacy of individual medical information in their organizations’ possession was deliberate snooping by employees. These are the same employees who presumably know as well as you or me that someone’s medical information is private (survey results here).

All of this unplanned sharing of PHI, made possible by the digitalization of health care and health care consumer data, may pose a liability risk for employers under the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The provisions regulate and protect the privacy of personal medical information, and the provisions—and the penalties for violating them—apply to “covered entities” and “business associates.” Covered entities are organizations such as hospitals, doctors and health plans, and business associates are any individuals or organizations that handle PHI on behalf of a covered entity. (You can learn more about HIPAA here.)

The penalties for breaching the privacy of protected health information are steep. Depending on the size, severity and intent of the breach, penalties can be civil (up to $50,000 per violation) or criminal (up to 10 years in prison). In 2013, there were 199 major breaches of PHI by covered entities and business associates, putting a total of nearly 7.1 million individual patient records at risk, according to a recent report from Redspin.

I don’t think HIPAA was ever intended to apply to employers unless they specifically were a covered entity or a covered entity’s business associate. It’s not hard to imagine an employee or his or her attorney seeking to apply HIPAA to a business that allowed violations of PHI to occur through no fault of its own, however. Given the immediate electronic availability of PHI, the desire for employees to peruse their own PHI and their willingness to do so at work, employers are in a tough position unless they develop policies to protect themselves.

Employers may want to consider:

  • Prohibiting access to non-urgent PHI at work.
  • Restricting the transmission of non-urgent PHI between employees and covered entities and business associates.
  • Designating private space for employees to access urgent and non-urgent PHI.
  • Conducting educational sessions on the privacy of PHI and the penalties for violating it.

Smart businesses will get ahead of this one before their CEO prints out his or her lab results and leaves it on the copier. You know it’s going to happen.


David Burda (twitter.com/@davidrburda, dburda@msp-c.com) is editorial director, health care strategies, for MSP-C.

Related Stories