Share this article on:
The massive data breaches of Anthem and Premera highlight the real and present danger of HIPAA breaches from hackers, but there is also a major threat from within. Hospital employees may not be responsible for the largest breaches, yet staff snooping on hospital records is a serious problem.
Each year employees view and copy the data of tens of thousands of patients, with 9,000 records potentially compromised in the latest case of employee snooping, according to a report in the Daytona Beach News Journal.
Two medical professionals working at an unnamed Florida Hospital in Orlando have recently had their employment contracts terminated after the hospital discovered that patient records had been inappropriately accessed.
The employees were based in Orlando, and reportedly had access to the patient records at eight Florida hospitals: Florida Hospital Orlando; Florida Hospital Altamonte; Florida Hospital Apopka; Florida Hospital East Orlando; Florida Hospital Kissimmee; Celebration Health; Winter Park Memorial Hospital and Walt Disney Pavilion at Florida Hospital for Children, although Florida Hospital spokeswoman, Samantha Kearns O’Lenick, confirmed that patient from Volusia and Flagler counties were unaffected.
The employees, who have not been named, accessed patient facesheets – summaries of patient information – and reportedly printed this information. The data on the sheets included patient names, addresses, phone numbers, contact information, health insurance details, names of treating physicians, diagnoses and other health information and Social Security numbers.
In spite of there being no apparent legitimate reason for the employees to have accessed and printed the data, the hospital and law enforcement do not believe the information has been used inappropriately. The employees in question had their employment contracts terminated immediately upon discovery of the breach and could potentially see jail time for the inappropriate accessing of patient records.
The problem appears to have started in January 2012 and was allowed to continue for a period of over two years. On May 2, 2014, the hospital was notified of the data breach by law enforcement. An investigation was started internally, while law enforcement also investigated the data breach. According to a hospital spokesperson, the issuing of breach notification letters for this reason.
Under the HIPAA Breach Notification Rule, covered entities are required to issue alerts to the Office for Civil Rights, the media and to send letters to all affected patients informing them of the breach. These procedures need to be conducted without delay, with the notifications issued no later than 60 days following the discovery of a HIPAA breach. Under the Health Insurance Portability and Accountability Act, breach notifications must be issued as soon as possible after a data breach to allow patients to take action to protect their identity.
However, in this case, Florida Hospital delayed the issuing of breach notification letters until March 20, 2015, with the hospital advising patients that they should contact the hospital if they have not received a letter by April 16, 2015; if they believe they have been a victim of identity fraud. According to HIPAA:
“All notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved (or business associate involved in the case of a notification required under subsection (b)).”
However, a delay is allowable if the issuing of breach notification letters could in some way jeopardize the investigation.
“Delay of Notification Authorized for Law Enforcement Purposes.—If a law enforcement official determines that a notification, notice, or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed in the same manner as provided under section 164.528(a)(2) of title 45, Code of Federal Regulations, in the case of a disclosure covered under such section.”
It is not clear why law enforcement required such a long delay – over 10 months – or to what extent law enforcement officers believed the notification of individuals would hamper the investigation. The OCR is likely to assess the data breach, and the response, to determine whether HIPAA Rules have been broken and if Florida Hospital delayed the issuing of breach notification letters unnecessarily.