HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Possible HIPAA Breach Sparks University of Cincinnati Medical Center Investigation

An investigation has been launched following a complaint about a data breach at the University of Cincinnati Medical Center. The HIPAA security breach occurred when a hospital employee in the financial services division accessed the data of a patient and shared that information with a third party, who subsequently used the information to conduct a hate campaign on Facebook.

The hospital took action rapidly when the incident came to light and terminated the employment of the individual in question, with legal action soon to commence. This incident was reportable under HIPAA guidelines to the Office for Civil Rights and while the hospital claims to have issued a notification to the OCR, the OCR was unable to confirm whether the report had been received.

A failure to report the incident would be a direct HIPAA violation, although the University of Cincinnati Medical Center claims to have documentation to prove that the notification of the data breach was made via the HHS website well within the notification deadline.

Fines are issued by the OCR for data breaches as well as HIPAA compliance failures. In this instance, since data was accessed and used deliberately the Medical Center could potentially be issued with a heavy fine as a result of the unauthorized use of the data. Deliberate data breaches – those conducted with the full knowledge of the individual concerned – can result in fines of between $10,000 and $1.5 million being issued by the OCR.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The hospital denies any wrongdoing and since the individual responsible for posting details of the patient on Facebook was not employed by the medical center a fine may be avoided. However, questions will be raised about why an individual in the finance department was allowed access to ePHI when this should not be required for the individual to perform his role at the hospital.

The federal investigation will address these issues and will determine whether the hospital – under the circumstances – should have restricted access to PHI and if any other HIPAA compliance issues exist; however at this stage the hospital has yet to receive any notification that an investigation has been commenced.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.