Ohio University Hospitals Worker Fired for Improper EHR Access

An Ohio University Hospitals Elyria Medical Center worker has been fired for inappropriately accessing the medical records of patients while employed at the hospital.

Alicia Reale, a spokesperson for the hospital, announced yesterday that the medical records of approximately 300 patients had potentially been improperly accessed by an employee of the hospital. The data breach resulted in Protected Health Information (PHI) potentially being viewed and copied.

An investigation was triggered when the hospital discovered an employee had accessed the EHR system without a legitimate work purpose for doing so.

Reale said “The information that may have been accessed for the impacted patients includes names, dates of birth, medical record numbers, dates of service and diagnostic and treatment information, ” according to a report in the Chronicle-Telegram.

Another Case of Hospital Employees Snooping on Medical Records

No financial information or Social Security numbers were exposed in the incident, and while the extent of access was determined, Reale said “We did not identify any purpose for the activity.” The incident has been attributed to snooping out of curiosity.

The employee did not hold a professional license, although the identity and position held has not been disclosed. Hospital policy forbids the accessing of medical records without authorization, which was not provided to the employee concerned. As a result, the employee’s contract was terminated.

The incident was reported to local and federal law enforcement and Reale confirmed that all affected patients were sent breach notification letters on July 2, 2015. The hospital has also set up a hotline for affected patients to check the exact information that was compromised in the breach.

Since there was no apparent malicious intent, and since Social Security numbers and financial information were not viewed, patients are not being offered credit monitoring services.

Reale confirmed that the privacy of patients is taken very seriously and said “We are committed to maintaining the privacy of our patients’ information and have taken many precautions to safeguard it.”

HIPAA Breach Notification Rules When Fewer than 500 Records are Compromised

Under HIPAA Rules, breach notification letters must be issued to patients affected by a security breach, and the Department of Health and Human Services’ Office for Civil Rights (OCR) must be notified. The time scale for alerting the OCR is 60 days from the discovery of the breach; although in this case since the incident affected fewer than 500 individuals, a breach report is not required until the beginning of March, 2016.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.