Minnesota Hospital Fires 32 Over HIPAA Violations

When employees violate patient privacy rights and access Protected Health Information without authorization, it usually results in the termination of that employee’s contract. However a hospital in Minnesota has recently fired 32 employees for widespread snooping on the health records of patients.

Allina Hospitals and Clinics took action against employees in two hospitals in its network; the Mercy Hospital in Coon Rapids and the Unity Hospital in Fridley. The inappropriate access all related to patients who had been admitted in the same incident; a party in a neighboring town in which individuals had suffered drug overdoses.

The party was in Blaine, and one patient died of a drug overdose and 11 more required hospital treatment. The incident was attributed to a synthetic drug that was supplied to the partygoers. An incident of this nature and scale naturally aroused the interest of hospital staff; however HIPAA Rules prevent doctors, nurses and other healthcare professionals from accessing the medical records of individuals out of curiosity.

Medical records are private and can only be accessed for work purposes and any snooping, whether with malicious intent or not, is a breach of patient privacy regulations. None of the individuals concerned had any legitimate work-related reason for accessing the medical records, leaving the hospital system with no alternative but to terminate the contracts of all employees concerned.

The scale of the incident may be shocking, but this is just one of many HIPAA violation cases of inappropriate accessing of medical records reported each month to the Department of Health and Human Services’ Office for Civil Rights. This year the University Medical Center in Tucson, AZ, was forced to terminate the employment contracts of three members of staff for accessing medical records that they were not authorized to view.

The Mayo Clinic also suffered a breach in which approximately 2,000 records were accessed by an employee over a period of four years at the company’s Arizona Business Center.

Training Must be Provided to Help Prevent Unauthorized Accessing of PHI

Breaches caused by employees snooping on the medical records of patients is a difficult security vulnerability to tackle, and almost impossible to prevent entirely. The provision of training on HIPAA Privacy and Security Rules will help to ensure that all members of staff are made aware of the reasons why data must be protected. Training sessions should also be provided regularly to make sure HIPAA Rules are always kept fresh in the mind.

It is also essential that the staff is made aware of the actions that will be taken by the hospital if PHI is accessed without authorization, and polices must be developed to routinely monitor for inappropriate access. This will ensure that the risk of snooping and unauthorized access is kept to a minimal level.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.