Employee Fired for Inappropriately Accessing EHR Records

By Mike Semel

Even an ‘Internal Breach’ is a Breach

According to an announcement on its website, Alabama-based DCH Health Systems fired an employee for accessing and viewing over 2,500 patient records “without a legitimate business need related to the employee’s job duties.”

The notice said the breach was discovered “during a routine privacy audit.”

The records that may have been accessed and viewed without authorization include names, addresses, dates of birth, Social Security numbers, dates of encounter, diagnoses, vital signs, medications, test results, and clinical/provider notes.

DCH said it does not know if the information was used or further disclosed and mailed letters to patients informing them of the breach and offering identity theft/credit monitoring services to those whose health plan ID numbers may have been involved.

There are lots of lessons to be learned from this incident. This is a good ‘teaching moment’ to share with your administrative and clinical managers and staff.

  1. HIPAA includes a requirement for MINIMUM NECESSARY ACCESS.

This means that those with authorized access to your medical records may only access records for authorized purposes, and they should only access the minimum amount of information required for the task they are completing. DCH Health Systems said the employee was fired for accessing records for unauthorized purposes.

Everyone knows that HIPAA requires patient information to be kept private and not shared with friends, family members, or anyone else without the patient’s authorization. (There are exceptions for providers and health plans to use patient information without the patient’s authorization for Treatment, Payment, and business Operations.)

What isn’t always effectively taught is that someone with access to a medical records system is violating HIPAA if they access records without a legitimate business purpose, commonly known as ‘snooping’. I have also seen HIPAA training courses that don’t educate staff that HIPAA lives on and protects health information for 50 years after a patient dies.

  1. While there is no mention of criminal charges in the DCH Health Systems notice, this incident might be being investigated for criminal intent.

HIPAA violations generally move from civil to criminal when there is intent to commit harm or if accessing the records is for personal gain. A Mayo Clinic doctor was arrested for accessing health records without authorization. In Tennessee, five former Methodist Hospital employees were fired and arrested for selling patient injury records to a chiropractor.

  1. DCH Health Systems said it caught the unauthorized activity in December during a ‘routine privacy audit’.

HIPAA requires that computer activity logs be reviewed to identify unauthorized or inappropriate access. This can be hard to catch unless you involve clinical or administrative staff members who can spot when someone is accessing a record without a legitimate business purpose. 

For example, one of our medical practice clients caught a receptionist in one office snooping in records of patients who were visiting another office. Someone in IT would have just seen a name on a list and would probably not have know that the person was accessing records in another location.

One of the first requirements in the HIPAA Security Rule is an Information System Activity Review’, meaning that computer activity logs must be reviewed to identify unauthorized activity. 

There are cybersecurity tools that can automatically identify unusual activity, such as a user who usually works from 8 am to 5 pm accessing records at 3 am. It is a lot harder to catch a staff member looking at a record for a patient they are not treating, billing, or reviewing for quality assurance purposes. This is why I involved department managers in our Information System Activity Reviews.

There is a related requirement in HIPAA for Unique User Identification’, meaning that all computer users must be uniquely identifiable, prohibiting shared generic logins like ‘Nurse’, ‘Receptionist’, etc. 

Finally, HIPAA requires Audit Controls’, meaning all access to electronic Protected Health Information (ePHI) must be tracked in log files, with logs of all applicable systems (EHR, e-mail, network and cloud servers, Azure, AWS, Google Drive, etc.) retained for 6 years.

Several large HIPAA fines have been issued for not logging access, not using unique user identification, and not performing reviews of the logs. 

When I was the Chief Information Officer at a hospital, a nurse was fired for inappropriately accessing her former mother-in-law’s medical record. My consulting firm works with several clients that have terminated employees for accessing records without authorization.

  1. Even though this was an ‘internal breach’ of health information, it was still a breach just like if the records had been stolen and sold by hackers. 

DCH Health Systems has followed the HIPAA Breach Notification Rule requirements for patient notification by publishing a notice on its website and sending letters to patients.

It isn’t clear if DCH Health Systems has followed the federal reporting requirement to report the incident ‘without unreasonable delay and no later than 60 days from the discovery of the breach’ because it has not yet appeared on the HIPAA ‘Wall of Shame’ website, where incidents involving over 500 records are shared. 

The requirement is sometimes misunderstood by those who think they have 60 days to report an incident to the Office for Civil Rights. The actual requirement is for reporting ‘without unreasonable delay and no later than 60 days from the discovery of the breach’. If DCH Health Systems could send patients letters and post a notice on its website within 45 days, it would seem that submitting its required report could have been done at the same time.

According to Alabama’s data breach law, which covers Social Security Numbers, health plan ID numbers, and medical information, the incident should have also been reported to the state attorney general because it exceeded 1,000 individuals.

  1. The employee was fired. It can be hard to fire an employee, particularly now when it is so hard to find good talent. 

But, HIPAA requires you to have a Sanction Policy that defines the ‘appropriate sanctions against workforce members who violate its policies and procedures.

STEPS YOU SHOULD TAKE NOW TO MAKE SURE YOUR PATIENTS ARE PROTECTED AND YOUR ORGANIZATION IS ALIGNED WITH YOUR COMPLIANCE REQUIREMENTS.

 

  • Review your HIPAA Security Rule requirements and ensure your technology is following the requirements for Information System Activity Review, Unique User Identification, and Audit Controls. Be sure to cover all systems that access, process, or store electronic Protected Health Information.
  • Make sure your Information System Activity Reviews include department managers and others who can recognize unusual activity that may be missed by someone not familiar with everyone’s roles and responsibilities.
  • Share your Sanction Policy with your staff and enforce it when needed.

 

While there are no specific sanctions that must be in your policy, most organizations include several levels of sanctions based on the number of incidents, whether they were accidental or intentional, and the number of patient records involved. I have also worked with an organization that had a ‘zero tolerance’ policy for HIPAA incidents and fired a long-time nurse who admitted accessing a family member’s medical record.

Whatever your sanction policy is, make sure you share it with your staff. To avoid claims of discrimination and unfair termination, be sure to apply sanctions evenly, even if it means disciplining a long-term and well-liked staff member.

 

Semel Consulting works with Covered Entities, Business Associates, and Subcontractors to properly manage HIPAA compliance.

MIKE SEMEL  |  www.SemelConsulting.com