© Springer International Publishing Switzerland 2016
Lewis A. Hassell, Michael L. Talbert and Jane Pine Wood (eds.)Pathology Practice Management10.1007/978-3-319-22954-6_1717. Corporate and General Liability
(1)
Department of Pathology, University of Oklahoma Health Sciences Center, 940 Stanton L. Young Blvd., BMSB 451, 73104 Oklahoma City, OK, USA
(2)
McDonald Hopkins, LLC, 956 Main St., 02638 Dennis, MA, USA
Keywords
LiabilityInsuranceBusiness operationsRiskHIPAAProtected health information (PHI)Directors and officers insuranceEmbezzlementCase: Organizational Risk
Dr. Roberts is the only neuropathologist in his group that serves three neurosurgeons, one of whom occasionally operates on tumor cases. When Dr. Roberts travels for meetings, he makes himself available to do remote consultation on frozen sections using scanned whole-slide images of the frozen section viewed on a mobile device and a cell phone for verbal reporting of his opinion. While traveling in Asia, he is asked to consult on a case when he is in the waiting area of a busy airport. People on both sides of him can readily view the images of the slide and the information on the label of the slide.
Is this a reportable Health Information Privacy and Accountability Act (HIPAA) violation that subjects the practice to risk?
What kinds of policies might be put in place to manage that risk while not restricting Dr. Roberts’ ability to view the images wherever he is?
Discussion: There are issues here that could place the organization at risk and create a need to have policies about using mobile devices and accessing patient data in public places, on phones, tablets, or other tools.
Storage of personal health data on such devices has proven a very costly risk for several high-profile institutions as well as individual medical practices when such devices were lost or stolen and a security breach needed reporting. The HIPAA imposes rather stiff penalties for even inadvertent release of patient medical information to unauthorized persons, a liability that is not covered by most general business insurance. Prevention in the form of good practices, solid policies, training, and awareness is critical to escaping the potentially large fines for release of protected health information (PHI) . A number of notable large institutions have received negative press and faced liability following the loss of electronic media such as hard drives, laptops, or other media containing even seemingly innocuous patient-identifiable data such as admission dates, accession numbers, zip codes, etc. Federal law requires practices to have HIPAA policies in place, as do quite a few states. Every practice should have an HIPAA privacy and security officer who is responsible for ensuring that appropriate practices and policies have been implemented, and who can assist in coordinating a response in the event of a possible privacy breach.