HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Two Employees Fired for Impermissible PHI Disclosures to Third Parties

Humana has discovered an employee of a subcontractor of a business associate impermissibly disclosed the protected health information of 62,950 of its members to a third-party for training purposes.

Cotiviti was contracted by Humana to provide assistance requesting medical records and used a subcontractor to review the requested medical records. Under HIPAA, subcontractors used by business associates are also required to comply with HIPAA.

The privacy violations occurred between October 12, 2020 and December 16, 2020 and Cotiviti notified Humana about the HIPAA violation on December 22, 2020. Cotiviti has worked with Humana to ensure that safeguards are implemented to prevent similar privacy breaches in the future, and that those safeguards are put in place at any subcontractors it uses. The individual who disclosed the data is no longer employed by the subcontractor.

The types of data disclosed includes member names’, addresses, phone numbers, email addresses, dates of birth, full or partial Social Security Numbers, insurance identification numbers, provider names, dates of service, medical record numbers, treatment information, and medical images.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While the disclosures were not made for malicious purposes and further disclosures of the PHI are not believed to have occurred, Humana is offering affected individuals 2 years of complimentary credit monitoring and identity theft protection services.

UPMC St. Margaret Fires Employee for Impermissible PHI Disclosure

UPMC St. Margaret has discovered an employee impermissibly disclosed the protected health information of certain patients to a third-party organization without authorization.

On August 2020, UPMC, St. Margaret discovered a medication administration report had been sent to an organization when there was no legitimate work purpose for doing so. The report contained information such as names, UPMC identification numbers, and medication administration data, including drug name, dose, time/date of administration, and the reason for providing medication.

Following the discovery of the impermissible disclosure, the employee’s access to UPMC systems was terminated, as was the individual’s employment with UPMC after the investigation was completed. the 11,135 affected individuals were notified about the privacy breach on March 5, 2021. No reason was provided about the notification delay.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.