Hospital firings

Nov. 20, 2008

By Jacob Quinn Sanders
Arkansas Democrat-Gazette

St. Vincent Health System fired as many as six employees last month for improperly accessing the records of Little Rock morning television news anchor Anne Pressly while she was a patient at the company’s main hospital, the chief executive confirmed Wednesday morning.

System President and Chief Executive Officer Peter Banko said that while Pressly, 26, was still alive and a patient at St. Vincent Infirmary Medical Center in Little Rock, a routine patient-privacy audit showed that as many as eight people gained access to her records improperly.

“Those records were being audited every day,” he said, “and as soon as we learned of a possible breach, we investigated.”

All eight were placed on leave pending a swift investigation, which determined that at least two had valid reasons for viewing Pressly’s records, Banko said.

“The others, and I won’t say how many exactly, the rest we terminated immediately on the same day,” Banko said. “I will say it was more than one.”

Dismissal was a natural penalty for any breach of a patient’s privacy rights, he said.

“Patient privacy is a matter of law, and it is a matter of policy for us,” Banko said. A statement the hospital released later said officials notified Pressly’s mother and stepfather of the breach at the time. Pressly’s stepfather, Guy Cannady, declined a request for comment. Banko declined to name the jobs the employees held. Doctors are not hospital employees, Banko said, and so could not have been fired.

The United Healthcare Local 22 of the Office and Professional Employees International Union, which represents nurses at St. Vincent’s, did not respond to a phone message.

Fred Knight, general counsel for the Arkansas State Board of Nursing, said his agency has received no patient-confidentiality complaints against St. Vincent’s nurses since Oct. 20, the day Pressly was admitted to the hospital after someone beat her severely in the bedroom of her home in Little Rock’s Heights neighborhood.

Pressly, who had worked for KATV, Channel 7, since 2004, never regained consciousness. She died Oct. 25.

Detectives have made no arrests and have provided no information about a suspect.

In the matter of Pressly’s records, detectives have received no reports of a theft and are not investigating the former St. Vincent’s employees, said Sgt. Cassandra Davis, Little Rock police spokesman.

Accessing medical information without authorization can be a violation of federal law.

Enforcement of the so-called privacy rule contained in the federal Health Insurance Portability and Accountability Act — known commonly as HIPAA — began in 2003. The rule designated some health information as protected and is generally interpreted to mean any part of a patient’s medical record or payment history.

“Basically it means don’t tell nobody nothing never,” said Ed Goldman, chief of the legal office at the University of Michigan’s health system, who has written on medical privacy issues.

And the act limits access to the records to those directly providing or supporting a patient’s care.

“There is no exception for being in the public eye,” Goldman said. “You can only look at the records if they are immediately relevant to your job. Say someone … works in billing. They can look up what they need to bill you. Or your doctors or nurses providing care or assisting in providing care. You can’t just look up people because you feel like it.”

Banko was the vice president of a Texas hospital system in 2006 when Vice President Dick Cheney shot and wounded a friend while hunting in the state — a friend who went to one of Banko’s hospitals for treatment.

“The same thing happened in that instance,” Banko said. “People got curious and accessed things they shouldn’t have accessed. And we did the same thing then: We terminated them.”

Violations of the act, however, rarely result in federal criminal charges. Criminal penalties range from a $50,000 fine and one year in prison to a fine of $250,000 and a prison sentence of 10 years.

The first and only conviction in Arkansas came in April when a licensed practical nurse in Trumann pleaded guilty to wrongfully disclosing a patient’s health information for personal gain. The nurse admitted passing the information to her husband, who threatened the patient with disclosure in “an upcoming legal proceeding.”

The nurse’s sentencing is scheduled for Monday.

Most complaints about violations of the law go the Office of Civil Rights within the U.S. Department of Health and Human Services, which can investigate them and slap health-care providers with administrative sanctions.

“In this case,” Goldman said, “it sounds like the hospital in Little Rock dealt with the violation swiftly and properly. I don’t know that there would be anything more for HHS to do.”

And though the law has no provision allowing a federal lawsuit, national and local HIPAA authorities said some state-court lawsuits can go forward.

“On occasion a state court is the appropriate place for a remedy, and the case will be successful,” said James Hodge, an associate professor at the Johns Hopkins Bloomberg School of Public Health in Maryland, who teaches health information and privacy law. “The privacy rule itself may not provide for the remedy, but it does provide a national standard a patient can expect. Deviate from the national standard and a state court can take that case.”

Vera Chenault, the HIPAA campus coordinator for the University of Arkansas for Medical Sciences, said in some cases state privacy laws are more strict than provisions of the federal law, which can also trigger lawsuits.

“Arkansas is not one of those states, though,” she said. “We don’t have a privacy law. HIPAA is going to be the privacy standard for Arkansas.”

Hodge, like Goldman, said that St. Vincent Health System acted appropriately.

“But then you still have to wonder,” he said, “why is there not more limited access to those records — especially with a prominent individual when you could really expect an unauthorized person would get overly curious? Why does the hospital allow any employee access to records they do not need to see?”

  1. […] that in addition to many of the stories I tossed up on this site, I make sure to add at least a few articles with straight ledes just to show that I can do those, […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s