HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Regular PHI Access Log Audits Can Prevent Major PHI Breaches

Infirmary Health has announced that an employee has been fired after being discovered to have accessed the health records of approximately 1,000 patients without authorization. The individual was required to access patients’ protected health information (PHI) for legitimate work reasons, yet data access rights were abused.

The employee worked in the Atmore Community Hospital: A 49-bed facility serving patients in Escambia and Monroe counties in Alabama. A routine audit of PHI access logs on November 18, 2016 revealed that the individual first started inappropriately accessing patient records from October 3, 2015.  Records continued to be inappropriately accessed until November 11, 2016.

According to a press release issued by Infirmary Health, the information accessed was limited to patient names, admission dates and flowsheets. It is unclear why the information was accessed, although it is not believed that any data have been disclosed to any other individual nor copied and removed from the hospital. PHI appears to have been accessed purely out of curiosity.

In accordance with Health Insurance Portability and Accountability Act (HIPAA) Rules, the employee was authorized to view the minimum necessary information to conduct work duties and had received extensive training and specific instructions not to access the PHI of patients for non-work related reasons.

Please see the HIPAA Journal Privacy Policy

As a result of the discovery, the employee was placed on leave until the matter was investigated, and was later fired for breaching hospital policies and HIPAA Rules.

Infirmary Health has informed affected patients by mail and advised them to monitor their personal financial activity as a precaution, although the risk of any information being used inappropriately is believed to be very low.

Tacking the Problem of Unauthorized PHI Access by Employees

Training must be provided to healthcare employees on HIPAA Rules covering patient privacy, the circumstances under which PHI can be accessed, and the penalties for improper access.

Healthcare organizations should be aware that even with extensive training, unauthorized PHI access is likely to occur. In this case, patient privacy has been violated but no financial harm is believed to have been caused. However, as we have seen on numerous occasions this year, that is not always the case. All too often PHI is stolen and used for identity theft and fraud.

Hospitals and medical centers are required to conduct regular audits of PHI access logs, but all too often those audits occur far too infrequently. Annual checks could potentially allow rogue employees to view vast numbers of patient records before the privacy violations are discovered. During that time, hundreds of patients could suffer financial harm.

Only by regularly conducting audits of PHI access logs can healthcare organizations limit the harm caused to patients and nip the problem in the bud. Regular audits will also send a strong message to healthcare employees that inappropriate PHI access will be rapidly identified and swift action taken against the individuals concerned.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.