Snooping employees sacked, disciplined after HIPAA breach
What happens when a healthcare organization's employees are found to have been inappropriately accessing patient medical records? The actions of one health system might serve as an example.
After 14 of its employees were found to have accessed a high-profile patient's medical records "without a legitimate patient care need," the nine-hospital Carilion Clinic in Roanoke, Va., is sending a clear message that this behavior will not be tolerated.
"Appropriate actions have been taken with each employee, up to and including termination," said Vicki Clevenger, vice president of internal audit & compliance, and chief compliance officer for the health system, in a prepared statement.
Carilion cannot divulge specific details of the HIPAA violation, it said, according to an ABC report.
The health system's IT system logs a data trail that keeps track of which employees are accessing which medical records, and they're able to audit that access log if need be.
In addition to finding out about data privacy compromises from specific individuals, the health system also may "proactively monitor a high-profile patient's medical record," Clevenger added.
[See also: Employee sacked after snooping patient EMR records.]
Employee snooping on patients' medical records is far from uncommon. Just this January, the 785-bed Sutter Health's California Pacific Medical Center notified 844 patients that their PHI had been compromised after discovering one of its pharmacist employees had been inappropriately accessing records. The employee was fired.
One month earlier, in December, the Cleveland-based University Hospitals reported a similar HIPAA breach involving an employee who inappropriately accessed the medical records of 692 people for nearly three and a half years unnoticed. The employee was also fired.