A university’s medical sciences department discovered that a former employee sent emails from her university email account to her personal Gmail account that contained names and other personal and protected health information (PHI) of 518 patients.
On November 29, 2021, the university discovered that the employee sent the emails on November 15, 2021. The emails consisted of Excel spreadsheets used for internal billing compliance auditing purposes and/or billing statements for reimbursement. The information included patient names, hospital account numbers, dates of service, insurance type, claim information for billing purposes, and medical record numbers. A few patients’ information also included their dates of birth and medical information.
When the department learned of the incident, they immediately filed a police report with the university’s police department. The Vice Chancellor of Compliance at the university contacted the employee and explained the seriousness of the matter. The employee said that it was a mistake and explained in writing that it was an unintentional error on her part, and she did not retain or share any of the information. The employee voluntarily terminated her employment with the university.
The university’s privacy officer stated, the university “takes patient privacy and security seriously, and when we discovered this mistake, we did everything we could to mitigate the risk and prevent similar incidents from happening.”
The university has policies and procedures to safeguard and protect the privacy and security of PHI, and all of their employees are trained on the content. Annually, all employees are required to complete HIPAA training, which includes topics such as employees using and accessing PHI for legitimate, authorized purposes needed to perform their job duties. It also addresses using secure and encrypted email and not using employees’ personal email to send and receive health information of patients.
The affected patients will be contacted via mail or the university’s website.
Issue:
All healthcare workers must understand HIPAA and the requirements for keeping protected health information (PHI) secure. The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public, while ensuring an individual’s health information is properly protected. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.
Discussion Points:
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates.
- Train all staff on HIPAA, PHI, and Privacy, minimally upon hire and annually. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that facility’s policies and procedures for HIPAA, PHI, Privacy, and record release are being followed by all staff, and that each person demonstrates understanding and competency.