HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of Pulse Victims Improperly Accessed by Orlando Health Employees

A number of employees of Orlando Health have breached HIPAA Rules by accessing the medical records of patients without authorization. Some of the patients who had their privacy violated were survivors of the shooting at the Orlando Pulse nightclub.

The medical records of patients were first accessed on June 15, 2016; three days after the Pulse shooting. However, Orlando Health did not discover the privacy breach until July 12. Breach notification letters were sent to affected patients a month later.

Orlando Health has not disclosed how many employees improperly accessed the medical records of patients, although the breach notification letter indicates only one employee was involved. However, Orlando Health issued a statement to Eyewitness news saying the privacy breach involved “team members” violating hospital rules.

Orlando Health has not disclosed how many patients had their medical records viewed, although at least two victims of the Pulse shooting had their medical records improperly accessed by at least one Orlando Health employee.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The types of data accessed includes names, dates of birth, admission times, reason for admission, location of the hospital where treatment was provided, medical record numbers, and account numbers. Social Security numbers, financial information, medical histories, and health insurance information were not viewed. No data appears to have been copied or used inappropriately.

Following an internal investigation into the incident, Orlando Health ascertained that patient records were not accessed with malicious intent. The improper access was due to “team members giving in to their personal curiosities.”

Orlando Health has confirmed that hospital employees have previously received training on hospital and HIPAA Rules covering patient privacy. In response to the privacy breach Orlando Health has re-educated workforce members about patient privacy and HIPAA Rules. The team members that violated patient privacy have been disciplined, although how those individuals were disciplined was not divulged.

According to the breach notification letter, Orlando Health is “continually evaluating and modifying our practices and the practices of employees to enhance the security and privacy of all confidential and protected health information.” That process will continue and the program of auditing the accessing of patient health records will be stepped up to ensure that any future instances of employee snooping are identified promptly.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.