HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI

NYC Health + Hospitals has discovered a volunteer accessed the protected health information of almost 3,500 patients without official authorization.

The unauthorized disclosure of PHI was discovered by NYC Health + Hospitals on March 10, 2017. The volunteer had worked in the phlebotomy department of Coney Island Hospital for a period of three months under direction of a supervisor.

The supervisor arranged for the volunteer to perform a number of tasks, some of which involved accessing certain patients’ PHI. While volunteers would be permitted access to PHI if they had been first vetted by Coney Island Hospital’s Human Resources department, in this case that process had not been completed.

When the supervisor instructed the volunteer to perform certain duties that required the PHI of patients to be accessed, the supervisor violated NYC Health + Hospitals polices and Health Insurance Portability and Accountability Act Rules.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The activities performed by the volunteer that involved accessing PHI included logging the names of patients in a log book and transporting specimens within the Coney Island facility. While performing those duties, the volunteer had access to protected health information such as patients’ names, medical record numbers and dates of birth. Since the volunteer had not been vetted, an unauthorized disclosure of PHI had occurred.

The incident was investigated and aside from the volunteer viewing PHI, no other improper disclosures of PHI are understood to have occurred; however, the privacy violation warranted notifications to be sent to patients as is required by HIPAA Rules.

Anthony Rajkumar, Chief Executive Officer of NYC Health + Hospitals issued a statement confirming action has been taken to prevent further privacy breaches of this nature from occurring, including reminding management of the responsibility to ensure all volunteers are subjected to proper processing procedures by the human resources department.

Action has also been taken against the supervisor for violating hospital policies. The supervisor was initially suspended and later resigned from the position. The volunteer has been prevented from accessing Coney Island Hospital facilities.

Due to the limited nature of PHI accessed by the volunteer, credit monitoring services have not been offered, although a toll-free number has been set up to allow patients to have any questions answered.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.