Share this article on:
The Hattiesburg Clinic, a physician-owned multi-specialty practice based in South Mississippi, has alerted its patients to an invasion of their privacy after an optometry provider used the clinic’s database to send out a mailing to patients advising them of his new employer.
The breach was discovered by a patient who alerted 7WDAM about the potential HIPAA breach. Staff at 7WDAM contacted the clinic to advise them of the potential privacy breach, and an investigation into the incident was launched.
The clinic sent Breach Notification letters to patients on March 20, 2015 alerting them to a potential breach of their privacy. The notification letter told patients that the clinic became aware of the breach on January 23, 2015. The clinic discovered that former optometrist, Dr. Scott Paladichuk, had accessed the clinic’s patient database on a number of occasions and had viewed and copied a number of records of patients, many of whom he had no treatment relationship with.
The investigation determined that the records were accessed over a period of two weeks between December 11 and December 31, 2014. The records were accessed, copied and pasted onto a portable electronic storage device and that data was then used by Paladichuk to send out letters to patients advising them about his new place of employment.
The clinic confirmed that Paladichuk was no longer in possession of the data, and that the only reason information was taken was for the purpose of sending the letter about his change of employer. Only demographic data was copied, but when records were accessed it is possible that health data was inappropriately viewed.
The clinic issued an apology for the incident and believes that there is no further risk to patients. The clinic has reported the incident to the Department of Health and Human Services’ Office for Civil Affairs, as required by HIPAA Breach Notification Rules.
The breach notification letter sample posted on the 7WDAM website is dated 20th March 2015, yet the incident was first identified by the clinic on January 23rd 2015.
The Breach Notification Rule demands that patients – and the Office for Civil Rights – are notified of an incident in which their Protected Health Information and personally identifiable information has been inapprprately accessed, viewed or copied. There is a time limit for issuing Breach Notification letters, which is 60 days from the discovery of the breach. HIPAA also states that the issuing of these letters should not be unnecessarily delayed. It is not clear why the healthcare provider delayed sending the breach notification letters and waited until just a few days before the deadline.
Staff Must be Trained on HIPAA Privacy and Security Rules
Data security measures can be installed to prevent hackers from gaining access to network servers, secure login systems can be used to limit access to PHI and data can even be encrypted, however staff provided with access – such as data encryption keys – are able to bypass all defenses and gain access to patient and health plan member data.
The threat from within is very real, and each employee snooping and data theft incidents are frequently reported to the OCR. In this case, the motivation for accessing and theft of records caused not apparent harm or damage to the patients, but that is not always the case. Data may be sold on to criminals, or otherwise used to commit medical fraud or identity theft.
It may not be possible to prevent HIPAA breaches by employees entirely, although it is an issue that can be tacked by providing the staff with training. All members of staff in a clinic or healthcare facility must be provide with training on the Health Insurance Portability and Accountability Act, in particular the rules covering patient privacy.
Employees should be informed about when records can be accessed, for what purposes and when they can be disclosed. The staff must also be informed of the repercussions from accessing or viewing patient records without authorization.