HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

DA Launches Criminal Investigation into Actions of Curious Healthcare Employee

Healthcare employees discovered to have improperly accessed the medical records of patients are likely to be terminated by their employers for breaching internal policies as well as HIPAA Rules. However, loss of employment is not the only punishment. Employees could also face a criminal investigation into their conduct, regardless of the reason why medical data were accessed.

A criminal investigation is likely if medical records have been accessed with malicious intent, but as has been highlighted this week, even accessing medical records out of curiosity can result in police investigation.

Earlier this week, St. Charles Health System announced that a caregiver had improperly accessed the medical records of around 2,500 patients over a period of 27 months. An internal investigation into the incident was conducted and the employee was confronted.

St. Charles Health System was satisfied that medical records were accessed out of curiosity and the employee was appropriately disciplined. The employee in question also signed an affidavit in which she confirmed that she had not used any of the information she viewed to commit fraud. She claims she looked at the medical records out of medical interest.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

As is required by HIPAA Rules, all patients impacted by the privacy breach were notified by mail and the matter was reported to the Department of Health and Human Services’ Office for Civil Rights. In accordance with state rules, the Oregon Attorney General’s office was also notified about the breach. The incident was not reported to law enforcement as the privacy breach was not determined to be a criminal act.

However, Deschutes County District Attorney John Hummel believes law enforcement should have been notified of “an alleged breach of that magnitude,” to allow a criminal investigation to be conducted. DA has now launched a criminal investigation into the case and will work with the police department to determine whether any criminal laws were violated by the employee. Should that be the case, criminal charges will be filed against the employee.

While the healthcare provider was satisfied that records were not accessed with any criminal intent, Hummel explained that it is not up to the healthcare provider to make such a determination. Hummel explained to NewsChannel21 that “That job is left to police officers, district attorneys, grand juries, judges and juries in the courtroom,” Hummel went on to explain, “Just like I don’t diagnose a patient’s health condition, a medical professional shouldn’t try to determine whether a crime was committed.”

One patient has reported receiving a call from an individual claiming to be from St. Charles Health and was offered help protecting her health information. The call was not made by St. Charles Health, although there is no indication that the call was related to this incident. Patients of other healthcare providers have also reported receiving similar calls.

This incident should serve as a warning to all healthcare employees. Any improper accessing of medical records is not only likely to result in internal disciplining and potential loss of employment. Criminal investigations are also likely to be launched and jail time is a possibility.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.