HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years

Cases of employees snooping on medical records are relatively common, although an incident at Tewksbury Hospital in Massachusetts stands out due to the length of time that an employee was accessing medical records without authorization before being caught.

The hospital was tipped off about the employee in April after a former patient made a complaint about their medical record being accessed inappropriately. In response to the complaint, the hospital conducted a full review which revealed the former patient’s medical records had been accessed by an employee without any legitimate reason for doing so.

Further investigation revealed it was far from a one off.  The employee had been accessing the records of patients without authorization for a period of 14 years. The first instance dated back to 2003 and the inappropriate access continued until May 2017. During that time, the employee accessed the records of more than 1,000 patients.

Tewksbury Hospital, which is run by the Department of Public Health, has now written to all patients whose medical records were inappropriately accessed, although many of those individuals are now former patients and the hospital no longer holds valid contact information. In an attempt to contact those individuals, a substitute data breach notice has been placed on the Mass.gov website.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The employee was a clerk at the hospital and was required to have access to medical records in order to complete work duties. Those access rights were abused and as a result, the employee was terminated and no longer has access to the EMR system.

The types of information that were potentially accessed includes names, phone numbers, addresses, gender, dates of birth, medical diagnoses, details of medical treatment provided at the hospital and in some cases, Social Security numbers.

Tewksbury Hospital says steps have now been taken to reduce the probability of similar incidents occurring in the future and to make sure that if records are accessed inappropriately, incidents are detected promptly. Those steps included conducting a review of policies and procedures regarding access to its EMR system and a reassessment of how access logs to medical records are reviewed. Staff will also be provided with additional training on the privacy and security of protected health information.

Tewksbury Hospital says the investigation did not uncover any evidence to suggest protected health information was misused in any way.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, which investigates all data breaches that have impacted more than 500 individuals. If the investigation reveals HIPAA Rules have been violated by the hospital, the penalty is likely to be severe for a breach of this duration.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.