An internet television program that explores the intersection of medicine and the law.

Risk Management Advice for Physicians on Maintaining EMR HIPAA Confidentiality

By Tad Devlin to EMR/EHR


In this episode, Healthcare Matters interviews ALL MD attorney Tad Devlin on risk management techniques for protecting HIPAA confidentiality in regard to electronic medical records. Devlin shares a case he was affiliated with where there was an internal breach of a employee/patient’s medical record.

Devlin is a partner at KAUFMAN, DOLOWICH, VOLUCK. He practices law in California, focusing his practice in the areas of commercial and insurance litigation, ERISA/life, health and disability benefit disputes, profit sharing plan and employee stock plan disputes, real estate, financial services disputes, professional liability (lawyers, doctors, accountants, real estate, insurance agents, architects and engineers), disciplinary defense and white collar defense.

Devlin is a charter member of the Association of Liability Lawyers in Medical Defense (ALL MD), a nationwide organization that connects healthcare providers with attorneys who specialize in medical malpractice defense.

Question 3 of 4

Interview recorded June 17, 2015


Mike Matray: Hi, I’m Mike Matray and I’m the host of Healthcare Matters, where the legal and medical fields come together to discuss healthcare matters. Today’s guest is Tad Devlin. He’s partner at Kaufman Dolowich Voluck, Welcome to Healthcare Matter, Tad.

Tad Devlin: Thanks Mike, pleasure to be here with you.

Mike: HIPAA data breaches are emerging as one of the largest systemic risks a hospital or a large group faces in the modern healthcare delivery system. What risk management advice would you give physician clients for maintaining HIPAA Confidentiality within their EMR system?

Tad: That’s an excellent point. I’ll just tell you that I had a case come across my desk where it was a hybrid. It was an alleged internal breach at a hospital for one of their employees who came in as a patient. Under that scenario, in that fact pattern, the patient/employee had checked a confidentiality box on a form, and when that form got entered into the system, there was a disconnect internally and the circumstances of the employee/patient’s visit to the hospital were disclosed and other very sensitive private information about his medical history, where all of a sudden it became water cooler fodder, which was relayed to him, of course, via a text message from another colleague. It’s an electronic game of post office.

So, to avoid that and avoid allegations of a systemic breach or of an anthem class-size breach, I think it’s incumbent to have external, internal and practical safeguards. In reverse order, a practical safeguard would be an isolated, dedicated electronic database entry area. Not a cube, but an actual office with a door. On top of that, you’ve got a chain of custody for those who enter into the system, both manually, through the old fashioned, “I’ve checked the kitchen area, and I was the last person in here,” and on the computer digital footprint, if you will, so it’s an assigned login. And then you could also have privacy screens on the face of the monitor, which I’ve seen on airplanes. They’re pretty useful to prevent an onlooker from happening upon some information that they shouldn’t see. Folks are generally curious. Even if a screen is left open, they will look, just by nature, and see what it is.

That there, the minute the toothpaste is out of the tube, so to speak, it’s hard to put it back, so then other internal safeguards can be with respect to only dedicated personnel are entitled to use it. They have the most sufficient encryption method they can have, they have secure access points, and externally, to keep out potential exposure to outside leaks. That requires ensuring that your cyber program is up to snuff and that your IT department, the dedicated resources are there, even though that may not be a desired spot of the budget, doing that work on the front end to prevent some opportunistic folks externally to access data and then try to sell that on a secondary market is money well spent, in my opinion.