HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Two Cases of Unauthorized PHI Access by Employees Reported

Two healthcare providers have announced they have discovered employees have improperly accessed the protected health information of patients. In one case, the medical records of 5,400 were improperly accessed over a period of 4 years.

Providence Health & Services in Oregon recently conducted an internal audit which included the checking of ePHI access logs. Auditors discovered that a Portland-based employee had been accessing patient files without any legitimate work reason for doing so.

The improper access first started in July 2012 and continued until April 2016. During that time, the records of approximately 5,400 patients were accessed.

The files included patient names, demographic information, details of medical treatments, and potentially also medical insurance details and Social Security numbers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Providence Health & Services does not believe that the employee disclosed any patient information to any other individuals nor that any information has been used inappropriately.

The discovery has prompted Providence Health & Services to introduce new controls to prevent improper access of ePHI in the future. All affected patients are now being notified of the breach and are being offered two years of complimentary credit monitoring services. The employee has been fired for breaching HIPAA Rules and violating the privacy of patients.

AnMed Health Discovers Employee of Business Associate Improperly Accessed PHI

Anderson, South Carolina-based AnMed Health has also reported an instance of improper accessing of PHI by an employee.

The individual in question was employed by a business associate of AnMed Health, Cardon Outreach. Cardon Outreach was contracted by AnMed to provide screening and enrollment assistance in relation to medical assistance programs including Medicaid.

The individual was discovered to have improperly accessed the files of 22 patients – including her own file – while working at an AnMed Health campus in Anderson in June 2016.

The employee is believed to have accessed the files out of curiosity, rather than with malicious intent. AnMed Health does not believe any PHI was copied by the individual nor that there is a significant risk of patients coming to harm.

Patients have now been informed of the privacy breach and have been advised to monitor their credit reports for any sign of fraudulent activity as a precaution. Cardon Outreach has fired the employee for breaching HIPAA Rules and AnMed Health’s privacy policy.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.