An Ohio health system announced on June 26, 2023, that an employee was disciplined for inappropriately accessing patient medical records since 2008. The unauthorized access was discovered on April 27, 2023.
The subsequent investigation revealed that patient records had been inappropriately accessed by the employee on multiple dates between 2008 and 2023. According to the health system, the patient records which were accessed included names, birthdates, and clinical information. The employee did not have access to financial information such as Social Security numbers or banking information.
The health system released a statement saying that to date, there is no evidence that any information had been misused as a result of the incident. The statement also said that disciplinary action was immediately taken in accordance with the health system’s human resources policies. All patients whose records were affected by the incident were notified, in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The health system is taking additional steps to strengthen privacy processes, procedures, and training to prevent similar incidents from occurring in the future.
Compliance Perspective
Issue
The HIPAA Security Rule requires facilities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic protected health information (ePHI). Facilities must ensure the confidentiality of all ePHI they create, receive, maintain, or transmit. The Security Rule defines confidentiality to mean that ePHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. Facilities must provide for appropriate authorization and supervision of workforce members who work with e-PHI. All workforce members must be trained regarding security policies and procedures, and facilities must have and apply appropriate sanctions against workforce members who violate the policies and procedures.
Discussion Points
- Review policies and procedures related to HIPAA, protected health information (PHI), and Privacy. Ensure that they address preventing staff from impermissibly accessing PHI and ePHI.
- Train all staff on HIPAA, PHI, and Privacy, minimally upon hire and annually. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff, and that each person demonstrates understanding and competency. Also audit to ensure PHI and ePHI are not being accessed inappropriately.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
