Healthcare Employee Accessed ePHI Without Authorization for 5 Years
Healthcare professionals must have access to the protected health information of patients in order to provide medical care and perform healthcare operations.
Since access to data can be abused by rogue employees, it is essential that controls are put in place to alert healthcare organizations rapidly when improper access occurs. Rapid identification of improper access can greatly reduce the harm caused.
In many cases, improper access is discovered during routine audits of access and application logs. When those audits are conducted on an annual basis, employees may be found to have been improperly accessing patient data for many months.
Last month, Chadron Community Hospital and Health Services in Nevada discovered that a rogue employee had been accessing ePHI without any legitimate work reason for doing so. What makes this incident stand out, is how long access had been allowed to continue before it was discovered.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
An investigation conducted by the healthcare provider revealed that the improper access had gone unnoticed for more than 5 years. During that time, the records of more than 700 patients had been accessed by the employee. The report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 702 individuals had their privacy violated by the employee.
Chadron Community Hospital and Health Services first learned of the privacy breach on January 3, 2017. The investigation into the employee’s activities showed medical records were first improperly accessed in September 2011 and that HIPAA-violating activity had continued until November 2016. The types of information accessed included names, addresses, dates of birth, demographic information, clinical information such as medical diagnoses, orders and physicians’ notes, some financial data and insurance information. No Social Security numbers are believed to have been viewed.
It is not clear why the employee accessed the information out of curiosity or if data were viewed with malicious intent. The individual is no longer employed by Chadron Community Hospital and Health Services. The dates of access suggest the employee had left the healthcare organization prior to the improper access being discovered.
Insider threats are a major concern for healthcare security staff. A recent Dimensional Research/Preempt survey showed that almost half of IT security professionals are more concerned about internal attacks than external threats. The network perimeter can be secured, although monitoring for improper access by employees can be a challenge.
HIPAA Rules require covered entities to maintain access logs and conduct periodic reviews of those logs to monitor for improper access. HIPAA does not state how often those logs must be checked, although it would be difficult to argue that regular, thorough checks were conducted if an employee was able to evade detection for more than 5 years. Such a long period of improper access is certain to attract the attention of Office for Civil Rights’ investigators.
