On January 13, 2015, a hospital in West Palm Beach, Florida discovered that an unidentified juvenile had been walking its halls dressed as a physician, wearing a lab coat with the hospital’s logo and a stethoscope. According to the Sun Sentinel, a patient reportedly told the hospital’s OB/GYN offices that a young man who “looked like a child” had entered an examination room. Hospital staff immediately reported the patient’s concerns to the West Palm Beach Police Department, which investigated the incident. When questioned, the suspect told police that he had been a doctor for years. To make matters worse, the teen is believed to have been playing doctor for weeks before being detected. According to his mother, the teen was under the care of a doctor and suffered from an illness for which he refused to take prescribed medication.
Although the hospital denies that the juvenile had any contact with a patient, the incident reminds all healthcare employers of the security concerns inherent in the industry. First, hospitals and other healthcare providers must have sound procedures to manage the high volume of visitors that enter through their doors. Many large facilities have implemented visitor management software to screen, badge, and track visitors entering the building. These systems offer an advantage over paper registries as each visitor is required to wear a temporary badge bearing the visitor’s photo. Further, the systems can be linked to real-time information regarding the location, discharge status, work schedule, and other information of a patient or employee whom the visitor is there to see. Similarly, employees can be required to wear photo-identification badges.
As another safeguard, healthcare employers should maintain anti-violence policies that include provisions prohibiting employees and visitors from bringing weapons onto the premises. Although many states have “guns in trunks” laws protecting an individual’s right to have a lawfully issued and licensed firearm locked inside a personal vehicle, employers are not prohibited from banning weapons inside the workplace, in patient areas, or in company vehicles. Employers should note that some states’ “guns in trunks” laws include retaliation provisions that expressly prohibit employers from taking action against employees who lawfully keep firearms in their parked vehicles. Federal laws and certain federal contracts, however, may supersede state law requirements and allow employers to impose a total ban against weapons on employer premises.
In addition to maintaining protocols for the physical security of patients, staff, and visitors, healthcare employers must have plans in place for managing their data. As almost all states have newly implemented or revised data breach laws, healthcare employers may have to follow more stringent requirements than those posed by the familiar Health Insurance Portability and Accountability Act of 1996 (HIPAA). Data breaches are becoming more common and can result from any unauthorized access to protected patient or employee data, including hacking from the outside (the Internet), viral attacks/phishing scams, rogue employees, inadvertent access to inadequately protected data, and the loss of devices (laptops, smartphones, thumb drives, etc.).
After ensuring that all data systems meet the applicable security requirements under federal law and state law, including remote access terminals and devices, healthcare employers should implement an action plan to handle potential data breaches when they occur. Having a plan will allow the employer to respond quickly, as many state laws require fast action. For example, several state data breach laws require employers to provide notification of a breach to individuals, law enforcement, and/or the state within 45 days or less. Failure to comply can result in significant financial penalties. Moreover, a federal data breach law could come before Congress in the near future. Consulting with legal counsel now to revise policies and practices is an employer’s best defense against future liability and unwanted media attention.
Dee Anna D. Hays is an associate in the Tampa office of Ogletree Deakins.