25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Ohio Radiologist Disciplined for HIPAA Violation

Posted By on May 28, 2015

The Ohio State Board of Medicine has taken action against a radiologist who violated the Health Insurance Portability and Accountability Act (HIPAA) by unlawfully accessing the medical records of a colleague.

The radiologist, Dr. Aimee Hawley, accessed the records of a work colleague of Mercy Health St. Rita’s Medical Center in September 2013. Hawley has since left the hospital’s medical staff.

It is not known why Hawley accessed the records of her physician colleague, when she should have been aware of the restrictions in place covering access to Protected Health Information under HIPAA. The State Medical Board of Ohio’s education & outreach program manager, Joan Wehrle, said the source of the compliant into the HIPAA violation was being kept confidential.

He pointed out that patient privacy is a serious matter and “No one can access a patient’s medical records unless they are a treating or consulting physician or have permission from the patient.”

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

As a result of this transgression, Hawley has agreed to sign a consent agreement submitting to disciplinary action. A consent agreement is attached to the Hawley’s medical license and constitutes her agreement to areprimand and probationary punishment,” after she “intentionally accessed the electronic medical records of a physician colleague (and) further admits that she was not a treating physician, nor was she asked to consult, or provide diagnostic service.”

The terms of the reprimand and probationary punishment include:

  • A written apology to the individual concerned for the unlawful access of Protected Health Information
  • The provision of quarterly confirmations of continued HIPAA-compliance to the Board of Medicine
  • Attendance at face to face meetings at the request of the State Medical Board
  • Compulsory attendance at medical ethics training sessions
  • A submission of a written report summarizing what has been learnt during training

The Risk of Improper Access Can be Reduced

Employees accessing the Protected Health Information of fellow employees or patients without authorization can face civil claims for damages and criminal charges may be filed, which can result in heavy fines and up to a decade in prison.

Even with the risks, inappropriate access of records by employees occurs all too frequently in hospitals. These HIPAA violations can be difficult to identify, and it is only when a full security audit is completed – involving the checking of access logs – that the violations are uncovered.

Many HIPAA covered entities do not perform full audits regularly and fail to identify improper access for many months, if not years in some cases. If a HIPAA-covered entity is to escape also being penalized for allowing PHI to be viewed, it is essential that improper access is regularly checked so that it can be promptly identified.

The Department of Health and Human Services’ Office for Civil Rights can issue substantial penalties for violations of the HIPAA security Rule, such as failing to place technical, physical and administrative controls in place to safeguard PHI. State Attorney Generals may also file lawsuits against organizations and individuals for HIPAA violations.

Training a Major Factor in Reducing HIPAA Violations

It is also essential that training is provided on HIPAA Rules to all staff required to come into contact with PHI. HIPAA legislation was introduced many years ago to protect the privacy of patients, yet some physicians and medical professionals are still unaware how the rules apply to Protected Health Information.

It is essential – and a requirement of HIPAA – to provide training to staff on HIPAA, data privacy and security matters. Not only must training be provided, regular refreshers must take placer to ensure that patient privacy matters are kept fresh in the mind.

Restricting access to PHI may not be practical, but whenever possible individuals’ access to should be restricted to “the minimum necessary information” to reduce both the risk of improper access and the temptation to view records without authorization.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist