Ohio Radiologist Disciplined for HIPAA Violation
The Ohio State Board of Medicine has taken action against a radiologist who violated the Health Insurance Portability and Accountability Act (HIPAA) by unlawfully accessing the medical records of a colleague.
The radiologist, Dr. Aimee Hawley, accessed the records of a work colleague of Mercy Health St. Rita’s Medical Center in September 2013. Hawley has since left the hospital’s medical staff.
It is not known why Hawley accessed the records of her physician colleague, when she should have been aware of the restrictions in place covering access to Protected Health Information under HIPAA. The State Medical Board of Ohio’s education & outreach program manager, Joan Wehrle, said the source of the compliant into the HIPAA violation was being kept confidential.
He pointed out that patient privacy is a serious matter and “No one can access a patient’s medical records unless they are a treating or consulting physician or have permission from the patient.”
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
As a result of this transgression, Hawley has agreed to sign a consent agreement submitting to disciplinary action. A consent agreement is attached to the Hawley’s medical license and constitutes her agreement to a “reprimand and probationary punishment,” after she “intentionally accessed the electronic medical records of a physician colleague (and) further admits that she was not a treating physician, nor was she asked to consult, or provide diagnostic service.”
The terms of the reprimand and probationary punishment include:
- A written apology to the individual concerned for the unlawful access of Protected Health Information
- The provision of quarterly confirmations of continued HIPAA-compliance to the Board of Medicine
- Attendance at face to face meetings at the request of the State Medical Board
- Compulsory attendance at medical ethics training sessions
- A submission of a written report summarizing what has been learnt during training
The Risk of Improper Access Can be Reduced
Employees accessing the Protected Health Information of fellow employees or patients without authorization can face civil claims for damages and criminal charges may be filed, which can result in heavy fines and up to a decade in prison.
Even with the risks, inappropriate access of records by employees occurs all too frequently in hospitals. These HIPAA violations can be difficult to identify, and it is only when a full security audit is completed – involving the checking of access logs – that the violations are uncovered.
Many HIPAA covered entities do not perform full audits regularly and fail to identify improper access for many months, if not years in some cases. If a HIPAA-covered entity is to escape also being penalized for allowing PHI to be viewed, it is essential that improper access is regularly checked so that it can be promptly identified.
The Department of Health and Human Services’ Office for Civil Rights can issue substantial penalties for violations of the HIPAA security Rule, such as failing to place technical, physical and administrative controls in place to safeguard PHI. State Attorney Generals may also file lawsuits against organizations and individuals for HIPAA violations.
Training a Major Factor in Reducing HIPAA Violations
It is also essential that training is provided on HIPAA Rules to all staff required to come into contact with PHI. HIPAA legislation was introduced many years ago to protect the privacy of patients, yet some physicians and medical professionals are still unaware how the rules apply to Protected Health Information.
It is essential – and a requirement of HIPAA – to provide training to staff on HIPAA, data privacy and security matters. Not only must training be provided, regular refreshers must take placer to ensure that patient privacy matters are kept fresh in the mind.
Restricting access to PHI may not be practical, but whenever possible individuals’ access to should be restricted to “the minimum necessary information” to reduce both the risk of improper access and the temptation to view records without authorization.