UCHealth Employee Violates HIPAA Privacy Rule

The importance of conducting regular internal audits has been highlighted by University of Colorado Health (UCHealth). UCHealth regularly conducts audits of access logs to determine whether the Protected Health Information of patients is inappropriately accessed by members of staff. In its latest audit, UCHealth discovered this to be the case.

An employee was discovered to have snooped on patient health records. Access logs showed the medical records of 827 patients had been inappropriately accessed since UCHealth conducted its last data access audit.

The employee did not access Social Security numbers, financial or billing information, as those data were not viewable with the level of privileges the employee had been given. The privacy breach did result in patient names, phone numbers, addresses, dates of birth, health insurance information, and care/treatment plans being accessed.

An investigation into the HIPAA privacy breach was conducted and the employee was questioned. It would appear that access to patient files had been gained purely out of curiosity, and not with any malicious intent. A statement released by UCHealth says there is no reason to believe any of the data viewed have been disclosed to other individuals.

Accessing patient files without authorization is a violation of HIPAA rules and hospital policy. As a result of his or her actions, the employee’s employment contract was terminated.

UCHealth conducts annual training on data privacy and security. As a result of the privacy breach, the staff has been retrained. All staff members have been instructed that they are only permitted to view the medical files of patients that they are required to provide active medical care to.

All affected patients will be mailed a breach notification letter in the next few days to alert them to the privacy breach, and to advise them of steps they can take to protect themselves against fraud, should they wish to do so.

PHI access logs must be maintained and regularly audited

Healthcare employees must be granted access to patient medical files to conduct their work duties. The PHI that can be accessed must be limited to the minimum necessary to conduct those duties. A system should be put in place to log all access attempts, and those logs must be regularly checked to determine whether any employee has abused their PHI access rights.

Staff members should be advised of HIPAA Rules relating to patient privacy. They should also be informed that audits will be conducted, that abuse will be discovered, and told about the penalties for improper access.

It is not possible to eliminate the risk of employees snooping on patient medical records, but risk can be kept to a minimal level. Regular auditing of PHI access logs will ensure that in the event of a privacy breach, damage will be kept to a minimal level.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.