Privacy Breach at New York Medical Center Results in Employees Being Terminated

Cyber

A large medical center, with a comprehensive to safeguard the protected health information of its patients, experienced a breach on an undisclosed number of patients. The medical center terminated an undisclosed number of employees due to its no tolerance policy for breaches of PHI.

Compliance Perspective – Privacy Breach:

The Compliance and Ethics Officer with the facility’s Privacy Officer, Human Resource Manager, IT Manager, Risk/Safety Manager and Administrator should review the policies and procedures regarding potential breaches of protected health information to ensure that the appropriate protocol is in place for responding and correcting a breach in a timely manner. All staff with access to residents’ PHI should receive ongoing education about the importance of protecting their residents’ private health information. Administrative and IT staff must be trained regarding the Health Insurance Portability and Accountability Act (HIPAA) and these three components: Privacy Rule, Security Rule and Breach Notification Rule. The Compliance and Ethics Officer will request that the IT staff develop and implement an audit to determine the exact date of the breach, the information that has been exposed, the residents affected and the plan to notify those residents. The completed audit results will be summarized and submitted to the Compliance Committee for their review and consideration of any policy and procedure changes needed to prevent future breaches.

After a New York Medical Center discovered a confidentiality breach of patients’ protected health information (PHI) in violation of  the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), an undisclosed number of employees were terminated by the New York medical center.

The breach was discovered during an internal audit and the spokesperson for the medical center explained their action in terminating those employees in this way, “Our employees cannot provide care without having access to patient information.” The hospital’s spokesperson also said that the medical center maintained “detailed policies, procedures and safeguards relating to privacy and security of patient information and all employees are required to comply with those standards.”

Asked about a police investigation the spokesperson said that there had been no police investigation because the breach was discovered through the medical centers’ own internal audit. She reiterated that the medical center has a long-standing policy of not tolerating “breaches of patient privacy.”

According to the spokesperson, the center’s no tolerance policy is supported by the mandatory education provided to new employees about the requirement to safeguard the medical centers’ patients’ protected health information. Also, employees receive ongoing training about HIPAA requirements, and the medical center has an ongoing program to monitor employee compliance through random audits like the one that discovered the breach.

The patients whose PHI was affected by the breach were notified by registered mail.

The spokesperson pointed out that the medical center continuously assesses their protocols for protecting the privacy of their patients’ information and for ways to identify opportunities where improvements can be made.