HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cedars-Sinai Hospital Fires Six Over Inappropriate Patient PHI Access

Cedars-Sinai Hospital in Los Angeles was chosen by reality TV star Kim Kardashian and Rapper Kayne West as the place to have their daughter delivered. Their baby was born on June 15th, but three days later some members of staff started accessing the medical records of one of the patient from the hospital. The hospital announced that the records were accessed over a period of one week.

Six staff gained access to medical records which they were not authorized to view, with one individual accessing 14 patient records and the other five accessing the record of a single patient. The hospital did not confirm the names of the patients affected by this security breach and according to the L.A Times, neither Kardashian nor West was available for comment on the matter. The hospital did confirm that all patients affected by the breach had been contacted and notified of the unauthorized access and the hospital did not believe that any crimes had been committed.

Cedars-Sinai operates strict policies to protect confidential medical records and the persons who accessed PHI of patients did not have the security credentials to do so. Access was gained using the login details of other members of staff

Four of the staff had some medical privileges at the hospital but were employed by community physicians, one was employed directly by the hospital as a medical assistant and another was a student research assistant. According to a statement issued by the hospital, access to the data was made possible via the logins of three community physicians; Dr. Sam Bakshian, Dr. Abraham Ishaaya, and Dr. Shamim Shakibai.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

All three doctors were granted permission to remotely access the data and all provided their login details to their assistants; which was against the hospital policy. The other login used to access the PHI was issued to the doctor’s employee directly for purposes of billing.

Cedars-Sinai Chief Privacy Officer reassured the public and patients about security at the hospital generally being of a very high standard and unauthorized access to data is “quite simply unacceptable”. This is the second time members of staff have been involved in incidents involving inappropriate access to PHI at the hospital. In 2009 a member of staff stole records of patients and used the information to make fraudulent insurance claims.

The five members of staff who accessed the records inappropriately have now had their employment terminated and the student research assistant’s time at the hospital has also come to an end.

As a further precaution the hospital will also prevent access to records by the individuals concerned, even if they gain employment at another health provider. Law enforcement has also been notified as a precaution, although there is no evidence to suggest that any of the information viewed will be used for criminal purposes.

When the employees accessed the data they violated HIPAA regulations, and as such the Office for Civil Rights may investigate. The OCR has the authority to issue fines for HIPAA non-compliance issues and data breaches, with the healthcare institution often held liable in cases where employees have inappropriately accessed patient records.

In 2008, an employee of the UCLA Health System accessed the records of Britney Spears, Farah Fawcett and Maria Shriver and was convicted of selling in medical information to the National Enquirer. UCLA had to settle with federal regulators for $865,500. A fine of up to $50,000 can be issued for each violation.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.