Healthcare Compliance Perspective:
It is essential for skilled nursing facilities to accept an all-hazards approach to disaster preparedness, which includes all possible threats and cyber security issues. In the event of a breach of Protected Health Information (PHI), the response and mitigation plan should be immediately executed, any crimes should be reported to law enforcement, and breaches should be reported to both those impacted by the breach as well as federal and information-sharing analysis organizations.
Unlawful accessing of patient records resulted in the dismissal of thirteen employees last year from a South Carolina academic medical center. The breaches of patient Protected Health Information (PHI) was not only in violation of HIPAA law, it involved some high-profile patients. All together there were 58 patient privacy breaches that the hospital was required to report to the federal government in 2017.
Most of the breaches occurred after employees curiously “snooped” into the files of patients involved in news media reports. Staff at the medical center explained to the Board of Trustees in a recent meeting that the snooping breaches were small and not like the massive ones that are reported in the news. Nevertheless, it was noted that “a one-person breach is a bad thing for that one person” who had entrusted themselves into the care of the medical center.
Assurance was offered to patients not to worry about their own information due to the fact that the center has the ability to track each employee who opens a patient’s file and this makes patients less vulnerable to a security breach.
According to a senior information security analyst at the center, all medical center employees with access to health records must receive annual training regarding HIPAA requirements for protecting an individual’s PHI. The analyst also warned that the risks of such breaches are not “going to go away,” but that they are increasing.
A spokeswoman for the medical center issued a statement reiterating the hospital’s commitment to protect patient privacy. She emphasized that all breaches are dealt with quickly and decisively. She noted that while some breaches are not malicious and often just involve the faxing of information to a wrong location, others do involve what she termed, “misplaced curiosity or malice.” The spokeswoman reported that there have been 307 breaches occurring at the medical center since 2013; and, of that 307, 30 employees were terminated including the thirteen fired in 2017.