A former employee of a New York hospital has been charged with a criminal HIPAA violation due to improperly accessing electronic health record information in violation of the New York hospital policies. The employee worked the night shift and had since been terminated from employment at the hospital.
In November 2021, the hospital announced that they had determined that an employee accessed patient information in an unauthorized capacity between October 2018 and February 2019. The hospital representative stated that notification was delayed because of instruction of law enforcement who were investigating the incident.
The New York hospital sent about 13,000 notices to patients regarding the incident, noting that the employee was terminated and charged with a criminal HIPAA violation. There is no evidence that the former employee accessed Social Security numbers, insurance information, credit card numbers, or other payment-related information.
The data that was breached may have included demographic-type information such as name, date of birth, telephone number, address, internal account number, and medical record number, as well as clinical information such as diagnoses, medications, laboratory results, course of treatment, the names of healthcare providers, and/or other treatment-related information.
The hospital is offering a year of complimentary identity theft protection for the patients affected by the data breach. The hospital is also taking additional steps, including bolstering access controls and targeted retraining of staff on the importance of protecting patient confidentiality.
Issue:
Recently the focus on ransomware attacks has been prevalent, but unfortunately employee “snooping” and accessing of unauthorized patient records continues to be an ongoing challenge for the healthcare sector. It is essential that all healthcare workers understand HIPAA and their responsibility to secure protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public, while ensuring an individual’s health information is properly protected. Staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.
Discussion Points:
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates.
- Train all staff on HIPAA, PHI, and Privacy upon hire, annually, and whenever issues occur. Ensure they understand that reporting of privacy breaches is mandatory. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff and that each one demonstrates understanding and competency.