Mass Violations of Patient Privacy at Virginia Clinic

Instances of employees snooping on patient medical records are frequently uncovered; however few cases have involved snooping on such a large scale as the privacy breach recently discovered at the Roanoke, Va. Carilion Clinic. The not-for-profit healthcare provider recently discovered fourteen members of staff had accessed a patient’s medical records without having any clinical reason for doing so.

Mass Privacy Violations Uncovered By Access Log Audit


There have been cases of doctors snooping on fellow physicians’ records, and numerous instances of healthcare workers stealing data with intent to defraud, but it is rare for snooping to occur on such a widespread scale and involve so many employees. Previous cases of mass privacy violations have involved celebrities or other high profile individuals, and this appears to be the case at the Roanoke clinic.

According to Carilion spokesperson, Chris Turnbull, “If a big story pops up, we regularly monitor employee access into the medical records system.” The monitoring of access is possible because every time a patient’s records are viewed, the system logs the user’s credentials. By analyzing the access logs it is possible to see which individuals viewed a particular record, and determine whether there was any legitimate reason for viewing a particular file.

In this case, after performing its access log analysis, Carilion discovered that fourteen individuals had snooped on a patient’s records, which is against hospital policy and HIPAA rules.

Following the discovery of improper access, Carilion staff ascertained the severity of the privacy violation and interviewed all 14 employees separately. Each staff member was then disciplined according to the seriousness of the offense.

Vicki Clevenger, chief compliance officer for Carilion, issued a statement in which she confirmed that the clinic “takes patient privacy very seriously”. She also said, “When Carilion discovers potential issues, an immediate investigation is launched. Aspects of an investigation vary, but may include a review of the electronic medical record(s) in question and interviews with individuals involved.”

In this case the matter was dealt with swiftly; however there could well be repercussions for the clinic and the members of staff concerned.

Privacy Violations Carry Serious Penalties


Snooping on patient records is a serious offense, and one that does not just put an employment contract at risk. Improper access of medical records is punishable with a heavy fine and even time behind bars. The Department of Health and Human Services’ Office for Civil Rights investigates serious data breaches, and can take action if HIPAA violations are discovered, and heavy fines can be issued. The Department of Justice may also decide that criminal penalties are in order, and could file charges against the individuals concerned.


Employee Snooping a Difficult Issue to Tackle


Hospitals cannot totally eliminate the risk of employees snooping on patient records; if access to patient records is provided to staff members, sooner or later an employee will get curious and view medical records without authorization.

To reduce the risk of privacy violations, all staff members should be instructed on HIPAA Privacy Rules and informed of federal and state penalties for violations of patient privacy.

Members of staff are unlikely to forget that improper access of medical records is wrong, but they may decide to snoop if they believe there is little chance of getting caught. It is therefore essential to monitor access to EHRs and to conduct regular audits. If the risk of being caught is perceived to be high, fewer employees will be tempted to snoop.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.