Hospital Employee Fired for Accessing Medical Records Without Authorization
Lowell General Hospital in Massachusetts has discovered the medical records of 769 patients have been accessed by an employee without any legitimate work reason for doing so.
By accessing the medical records, the employee breached hospital policies and violated the privacy of patients. Upon discovery of the breach, and completion of the subsequent investigation, the employee was terminated. Lowell General Hospital was satisfied that only one person was involved, and that this was not a widespread problem at the hospital.
Patients impacted by the security incident have been notified and a breach notice has been placed on the hospital website. Patients have been informed that the types of information accessed by the former employee included names, dates of birth, medical diagnoses, and information relating to treatments provided to patients.
No financial information, health insurance details, or Social Security numbers were viewed by the employee, and the investigation uncovered no evidence to suggest that any of the information that was accessed has been misused.
Lowell General Hospital provides training to all staff members, and clearly instructs employees that the accessing of medical records without a legitimate reason is strictly prohibited. While checks are performed to ensure that employees are abiding by hospital policies, the incident has prompted Lowell General Hospital to conduct a review of its privacy and security policies relating to its medical record system. Improvements will be made to ensure that any future instances of snooping are identified rapidly. The hospital will continue to provide ongoing training to staff on patient privacy.
What is not clear is how long the employee was able to improperly access medical records before the privacy violations were discovered. The number of patients impacted by the incident suggests the improper access had been ongoing for several months.
HIPAA required covered entities and their business associates to regularly monitor PHI access logs for unauthorized access. While “regularly” is open to interpretation, it is a good best practice to conduct ongoing audits of access logs to help identify unauthorized activity.
These audits can be conducted manually, although tools are available to reduce the administrative burden. Those tools are either rule-based or behavior-based. The former requires rules to be set which will trigger alerts if they are violated, while behavior based systems learn about normal access and trigger alerts if any anomalies are detected. These automated solutions can help to detect improper activity much more quickly, allowing rapid action to be taken when employees snoop on medical records.