Share this article on:
According to a recent report in the Post and Courier, the Medical University of South Carolina (MUSC) terminated 13 employees last year for violating HIPAA Rules by snooping on patient records. In total, there were 58 privacy violations in 2017 at MUSC, all of which have been reported to the Department of Health and Human Services’ Office for Civil Rights.
All of the breaches affected only small numbers of patients. Out of the 58 breaches, 11 incidents were categorized as snooping on medical records. Other breaches were unauthorized disclosures such as when the health information of a patient is accidentally sent or faxed to the wrong person.
Over the past five years, there have been 307 breaches detected at MUSC, resulting in 30 members of non-physician staff being fired. None of the breaches have been listed on the OCR breach portal, which only shows breaches impacting 500 or more individuals. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of more than 500 records that are made public and are detailed on the breach portal.
The revelations were made at a recent meeting of the hospital’s board of trustees. MUSC opted for transparency, which is considered important to help prevent future privacy breaches. The medical university has made it abundantly clear what actions will be taken against employees discovered to have violated HIPAA Rules.
According to the Post and Courier, one board member questioned whether the decision to terminate employees for minor privacy breaches was a Draconian measure; however, the threat of federal audits over data breaches involving employees has made such swift and decisive action necessary. Heavy fines can be imposed when audits reveal HIPAA Rules have not been followed. The actions taken by MUSC clearly show that it takes privacy and security seriously and that HIPAA violations by employees will not be tolerated.
OCR may be focused on pursuing financial penalties for serious breaches of PHI that affect large numbers of individuals, but that does not mean that investigations do not take place for smaller breaches. There have been multiple investigations of small breaches that have resulted in financial penalties for HIPAA violations by covered entities and their business associates.
The most recent example was in early February when a $3.5 million settlement between OCR and Fresenius Medical Care North America (FMCNA) was announced. FMCNA had experienced five small data breaches in a six-month period in 2012. In 2013, Hospice of North Idaho settled with OCR for $50,000 over a breach impacting 441 patients. Further, in 2016, OCR made it clear that it would be stepping up investigations of covered entities that had experienced small breaches of PHI.
While small breaches may not make the headlines, they are serious for the individuals concerned, which is something MUSC makes clear in its employee training sessions. Efforts to communicate the importance of privacy have also been stepped up, and it is made clear to employees that the hospital has a clear policy of terminating employees for violating HIPAA Rules.
It would be unreasonable to single out MUSC as having a poor record for privacy breaches, as many hospitals are likely to have similar stats. What is certainly commendable is the full transparency and swift and decisive action when patient privacy is violated with malicious intent or when the privacy of patients is violated by curious employees.