Dedicated to providing the latest
HIPAA compliance news

DA Launches Criminal Investigation into Actions of Curious Healthcare Employee

Share this article on:

Healthcare employees discovered to have improperly accessed the medical records of patients are likely to be terminated by their employers for breaching internal policies as well as HIPAA Rules. However, loss of employment is not the only punishment. Employees could also face a criminal investigation into their conduct, regardless of the reason why medical data were accessed.

A criminal investigation is likely if medical records have been accessed with malicious intent, but as has been highlighted this week, even accessing medical records out of curiosity can result in police investigation.

Earlier this week, St. Charles Health System announced that a caregiver had improperly accessed the medical records of around 2,500 patients over a period of 27 months. An internal investigation into the incident was conducted and the employee was confronted.

St. Charles Health System was satisfied that medical records were accessed out of curiosity and the employee was appropriately disciplined. The employee in question also signed an affidavit in which she confirmed that she had not used any of the information she viewed to commit fraud. She claims she looked at the medical records out of medical interest.

As is required by HIPAA Rules, all patients impacted by the privacy breach were notified by mail and the matter was reported to the Department of Health and Human Services’ Office for Civil Rights. In accordance with state rules, the Oregon Attorney General’s office was also notified about the breach. The incident was not reported to law enforcement as the privacy breach was not determined to be a criminal act.

However, Deschutes County District Attorney John Hummel believes law enforcement should have been notified of “an alleged breach of that magnitude,” to allow a criminal investigation to be conducted. DA has now launched a criminal investigation into the case and will work with the police department to determine whether any criminal laws were violated by the employee. Should that be the case, criminal charges will be filed against the employee.

While the healthcare provider was satisfied that records were not accessed with any criminal intent, Hummel explained that it is not up to the healthcare provider to make such a determination. Hummel explained to NewsChannel21 that “That job is left to police officers, district attorneys, grand juries, judges and juries in the courtroom,” Hummel went on to explain, “Just like I don’t diagnose a patient’s health condition, a medical professional shouldn’t try to determine whether a crime was committed.”

One patient has reported receiving a call from an individual claiming to be from St. Charles Health and was offered help protecting her health information. The call was not made by St. Charles Health, although there is no indication that the call was related to this incident. Patients of other healthcare providers have also reported receiving similar calls.

This incident should serve as a warning to all healthcare employees. Any improper accessing of medical records is not only likely to result in internal disciplining and potential loss of employment. Criminal investigations are also likely to be launched and jail time is a possibility.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On