Protecting Patient Data Appropriately During Residency Training

In the decade after the shift to electronic health records (EHR), the convenience and efficiency of sharing patient data may put the security of patient information at risk. Additionally, the authors assert that data sharing guidelines are essential for health care professionals to ethically acquire, use and manage data daily.
 
Electronic patient information systems enhance access to health information and can make health services more efficient. However, electronic records may serve other important purposes. The Council on Podiatric Medical Education (CPME) has been sanctioned by the American Podiatric Medical Association (APMA) to oversee residency programs and make sure that there is compliance with established minimum requirements to support the program. Residencies must be approved by the Residency Review Committee and CPME.^1,2 Residency programs are required to collect and keep electronic documentation of case involvement and supply these cases in the event of an audit. It is the responsibility of the resident to maintain a surgical log of surgical cases and clinical encounters, which are verified by the residency director or related governing body. There is also a recent endeavor by the same governing bodies to standardize fellowship surgical logging experiences. Currently, there is no logging system in place and standardization for fellowship logging in our field. Our group performed a recent survey of leading foot and ankle podiatric surgery fellowships and found a majority (80%, n=32) utilized unsecured online databases (Google Drive, Google Docs) shared with staff, directors, and previous/co-fellows, (17.5% n=7)  utilized unsecured offline Microsoft Excel files which were manually provided to their director upon request, and a single user (2.5%, n=1) was utilizing a standard sized paper notebook with patient stickers attached.
 
In our experience, trainees are often required to keep logs of their personal surgical experiences for a multitude of reasons, such as satisfaction of program requirements or future board qualification. A common practice among experienced surgeons and new resident trainees alike is to keep a physical copy of surgical logs, including patient stickers from patient charts, or storing patient information on mobile devices or unsecured digital locations (ie, Google Drive documents).
 
In the authors’ observation, the convenience of a surgical logbook overwhelmingly supersedes the act of directly entering this patient information on an online database. Due to time constraints, residents find alternative ways to efficiently store patient stickers until time allows entry of the information online. This brings into question the protection of patient information and Health Insurance and Portability and Accountability Act (HIPAA) compliance.
 
According to a survey study by McKnight et al., out of 2,427 responses among residents, fellows, and attendings at ACGME training programs, 58% of all residents self-report violating HIPAA.³ Such violations among health care practitioners may include unsecured texting, standard photo and video messages, and non-encrypted emails containing protected health information (PHI). In addition, clinical photographs, imaging studies, and intraoperative images, which may or may not contain PHI, are commonly shared for the enhancement of education, research, and patient care. The sharing of these clinical documents should be performed with an awareness of the consequences associated with HIPAA violations.⁴ Reasons for noncompliance include lack of knowledge, habit, inaccessibility, and pure inconvenience.³ Creation and implementation of a detailed ethical code for external data sharing with large datasets and mobile applications is crucial, following HIPAA-compliant protocols.⁵

What Happens If Logs Are Lost?

The authors interviewed a few individuals who lost their surgical logbooks during residency training. Interviewees said they contacted their respective residency directors, who then escalated the issue to their hospital institution’s risk management department. The residents shared that their specific hospital protocol stipulated that they had to specify all patient information at risk and also had to undergo HIPAA training. Risk management would then have to report HIPAA violations to the Office for Civil Rights (OCR) as well as a patient-specific HIV/AIDS database as needed. Whenever a HIPAA violation occurs, we have observed that hospitals are often required to provide identity monitoring, potentially pay fines and provide preventive and educational resources for violators to review. While these policies are put in place at hospitals regularly, we have found that they vary widely. There are published penalties for a breach and breaches must be relayed to the affected individual. In the event the breach affects over 500 individuals,  there are other necessary reports sent to local media and the secretary of HHS.⁶
 
The necessary minimum number of cases to graduate from a CPME approved residency is 350, however many residents go well over this minimum number. The liability of the logbook increases along with the success of the residency training and greater case load.

Healthcare Data Breaches: What Are the Legal Obligations?

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured PHI to affected individuals, the Secretary of the United States Department of Health and Human Services, and, in certain circumstances, to the media.6
 
Once a data breach occurs, one would notify security at the hospital, and this process may vary by institution, and file an internal incident report. Risk management would be notified as well as the ethics and compliance committee(s). Informational technology and the security and risk management teams would then be involved to mitigate and cease on-going risk as well as determine fault. The burden of proof is placed on the institution at fault for the break.⁷ The incident would also be reported to the institution’s legal team. The hospital would try to identify exposed PHI. If there is indeed a violation of PHI, then the hospital is obligated to provide identity theft insurance to impacted patients. The individuals would be notified formally and informed of the processes being undertaken to protect them. Additionally, medical professionals involved would undergo HIPAA training.
 
There are legal obligations that apply to private practice as well. In the stipulations set forth by CMS, there are levels of culpability by severity: No knowledge, reasonable knowledge, willful neglect, timely correction, and willful neglect without timely correction. Institutions, practices, and corporations must provide evidence (in case of breach) that all security measures were taken to prevent these beforehand. If these were not in place at the time of a breach, while actively keeping or transferring HIPAA related data, then the severity of the culpability is increased as well as the penalties.⁸

Where Do We Go From Here?

We must acknowledge that despite implementing laws to protect PHI in the time of advanced technological advancement, a large portion of medical trainees and medical professionals still disregard these rules.² As clinical medicine shifts towards a more preventive point of view, the authors have to ask why this has not happened yet for HIPAA standards and the associated archaic workflow that in their observation is so common? There are options available for practitioners to both optimize their workflow and remain security conscious. The medical community would benefit from further examining the cause for these types of HIPAA violations and work towards potential remedies and more convenient logging pathways.
 
Alexandra T. Black, DPM, AACFAS, DABPM is a fellowship-trained foot and ankle surgeon with Foot and Ankle Specialists of Central Ohio.
 
Jered M. Stowers, DPM, AACFAS, DABPM is a fellowship-trained foot and ankle surgeon with Foot and Ankle Specialists of Central Ohio.
 
Andrew C. Falco, DPM, AACFAS, DABPM is a fellowship-trained foot and ankle surgeon with Dynamic Foot and Ankle Center in Virginia.

References
 
1.    Council on Podiatric Medical Education. (n.d.). Residencies. CPME. Retrieved January 25, 2023, from https://www.cpme.org/residencies/content.cfm?ItemNumber=2277
2.    CPME 330, Procedures for Approval of Podiatric Medicine and Surgery Residencies June 2020, version 032022
3.    McKnight R, Franko O. HIPAA Compliance with Mobile Devices Among ACGME Programs. J Med Syst. 2016;40(5):129. doi:10.1007/s10916-016-0489-2
4.    Reynolds RA, Stack LB, Bonfield CM. Medical photography with a mobile phone: useful techniques, and what neurosurgeons need to know about HIPAA compliance. J Neurosurg. 2019;132(1):260-264. doi:10.3171/2018.8.JNS182075
5.    Hollis KF. To Share or Not to Share: Ethical Acquisition and Use of Medical Data. AMIA Jt Summits Transl Sci Proc. 2016;2016:420-427. Published 2016 Jul 20.
6.    (OCR), O. for C. R. (2021, June 28). Breach reporting. HHS.gov. Retrieved January 29, 2023, from https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
7.    (OCR), O. for C. R. (2021, June 28). Breach reporting. HHS.gov. Retrieved January 29, 2023, from https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
8.    The Federal Register. Federal Register :: Request Access. (n.d.). Retrieved January 29, 2023, from https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162
 
Disclaimer: The views and opinions expressed are those of the author(s) and do not necessarily reflect the official policy or position of Podiatry Today or HMP Global, their employees and affiliates. Any content provided by our bloggers or authors are of their opinion and are not intended to malign any religion, ethnic group, club, association, organization, company, individual, anyone or anything.