URMC Employee Breaches HIPAA Providing PHI to New Employer

A former nurse of the University of Rochester Medical Center (URMC) has violated the Health Insurance Portability and Accountability Act (HIPAA) after she took a list of patients of the URMC neurology department and gave that information to her new employer, Greater Rochester Neurology (GRN). The list contained the Protected Health Information (PHI) and Personally Identifiable Information (PII) of 3,403 individuals, according to the report in the Rochester Democrat & Chronicle.

The nurse would not normally have been given a list of patient names, addresses, contact telephone numbers, dates of birth, gender, diagnosis information (and last treatment dates) prior to leaving employment at the hospital, but she “requested the list to help ensure continuity of care for the patients she was leaving, and she was provided the list for that purpose,” according to Dr. Robert G. Holloway, chair of the Department of Neurology.

The purpose of the list was to allow the nurse to make notes on the patients so that the information could be passed on to her replacement to ensure the care provided to patients would not suffer.

The unnamed nurse had a different view of continuity of care to URMC and gave the list to her new employer, who sent a letter to the patients advising them that the nurse had left URMC and had joined GRN, inviting them to continue their care at Greater Rochester Neurology facilities.

The list was provided to the nurse on April 1, 2015, although URMC did not discover that the data had been used inappropriately until April 24 when patients started to contact the medical center to report they had received a letter from Greater Rochester Neurology.

Dr. Holloway wrote to all patients affected by the breach to inform them of the inappropriate use of their data and to advise them of the information that was temporarily in the hands of an unauthorized individual. The list has now been recovered from GRN and it has been confirmed that the list has not been passed on to any third party. He also made a point of advising patients that their Social Security numbers, insurance details and treatment information were not compromised in the incident.

Patients were informed that while URMC provided the list to the nurse, at no point was authorization given to use the data for non-work purposes, neither was she authorized to share that information with a third party.

Reducing the Risk of Employee Data Theft

Over the past two weeks a number of healthcare providers have been notified that they were affected by the HIPAA breach at Medical Management LLC, after an employee took data when leaving the company. While it is not clear if that information was supplied to a new employer or has been taken for other reasons, two reports of employees taking data with them when they leave employment in just two weeks highlights the very real threat of HIPAA breaches from within. There is a particularly high risk of data theft when employees leave an employer and it can be difficult to effectively manage risk.

In order to reduce the risk of employee theft of PHI, there are a number of steps healthcare providers and other covered entities can take:

  • All staff required to view or access PHI – or individuals who are supplied with PHI for a particular task – must be informed of the rules and regulations surrounding the use and disclosure of that data.
  • A system for reporting suspicious activity should be set up to ensure that other members of the staff can easily, and confidentially, report any suspected breaches of privacy.
  • The staff must be advised of the penalties for breaching hospital policies, in addition to state and federal penalties, which can include heavy fines and imprisonment.
  • Privacy and security matters should be kept fresh in the mind using a variety of media and methods, such as notice board posters and internal bulletins to remind the staff of its responsibilities regarding PHI and PII.
  • If a member of staff has provided notice that they have taken a post with another employer, data privacy and security rules should be reaffirmed, in particular with regard to ownership of data and legal responsibilities regarding confidentiality and disclosure of information. They should also be provided with a copy of a confidentiality agreement – if one exists.
  • When an employee leaves a healthcare provider, email accounts and login credentials must be immediately terminated to prevent any further PHI access.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.