Before I go into what CAN happen when your workforce snoops, it is important for you to know what your workforce is doing.
And here’s why you should …
the HIPAA Security Rule requires Covered Entities (CEs) and Business Associates (BAs) to implement safeguards to record and examine activity on information systems that contain and.or use electronic protected health information (PHI) (see 45 CFR § 164.312(b)) and to regularly review records of information system activity, such as audit logs. See 45 CFR § 164.308(a)(1)(ii)(D).
What Happens When Your Workforce Snoops …
Last week, there were two high profile incidents of medical record snooping that made national news. Our first case is an extreme example and will involve jail time!!
In June 28, 2018, while we were busy getting ready for our fun-filled 4th of July celebrations, things were heating up in the “State of Independence.” That was when a federal grand jury handed down a six-count indictment for wrongfully obtained and disclosed the PHI of other individuals with the intent to do harm.
On August 2017, the University of Pittsburgh Medical Center (UPMC) received a complaint about a privacy violation. This sparked an internal investigation which resulted in immediate termination of the accused workforce member.
The HIPAA violation was then turned over to the Department of Justice and the FBI launched an investigation.
Now for the details on what happened. I’ve decided to skip the Who, instead, I am focusing on the What, When, Where, and How it happened:
From March 7, 2016, through August 17, 2017, the accused was employed as a Patient Information Coordinator for an affiliate of UPMC, and then by the Allegheny Health Network (AHN). During that time the accused wrongfully obtained health information from 111 individuals from UPMC and 2 individuals from AHN.
The indictment also charges that on four occasions between December 30, 2016, and August 11, 2017, the accused wrongfully disclosed the PHI of three individuals, with the intent to cause malicious harm.
How they found …
In June 2017, the accused sent an email disclosing PHI to their former employer’s company controller. Then in August 2017, the accused went one step further when they left a voicemail revealing PHI to another former employee of the company. That is what sparked the privacy violation call to UPMC.
Now What …
The accused plead guilty to one count of wrongful disclosure of PHI with intent to cause harm – leaving the voicemail message and admitted having accessed the medical records of more than 100 individuals without authorization.
Currently released on bond, and is pending sentencing, on June 25, 2019, where the accused faces a fine of up to $250,000 for the HIPAA violations and a sentence of up to 10 years in jail.
When Hollywood Comes Calling …
By now most of us have learned about the recent events surrounding former television show “Empire” star – Jussie Smollett. After the alleged attack he was taken to Northwestern Memorial Hospital.
Why does that matter you ask …
That is what possibly more than 60 Northwestern Memorial Hospital employees are saying after having been terminated for their involvement in violating Mr. Smollett’s HIPAA privacy rights!!!!
Take a few minutes to watch this news report to learn WHY Northwestern Memorial Hospital took the steps they did…
WHAT will Northwestern Memorial Hospital’s next steps will be.
Over the years several healthcare organizations have been issued HIPAA violations because of inappropriate actions made by their workforce. The above cases are only two examples of what happens when your workforce simply snoops.
For more insight on snooping check out our previous installment Ep. 29: Know The Rules! Medical Record Snooping
Covered Entities and Business Associates need to understand patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
After all, it is YOUR practice, YOUR patient’s trust, YOUR reputation and YOUR legacy!
Why are you leaving yourself wide open to their risks?
Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!