HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Vail Valley Medical Center Notifies 3,118 Patients of Unauthorized PHI Disclosure

Vail Valley Medical Center (VVMC) is in the process of notifying 3,118 patients of the inappropriate disclosure of some of their protected health information (PHI).

A physical therapist formerly employed at Howard Head Sports Medicine was discovered to have copied the PHI of patients and taken the data to his new employer. Prior to leaving employment, the physical therapist downloaded patient PHI onto a USB drive on two separate occasions.

VVMC discovered the former employee’s HIPAA violations on February 16, 2016. An internal investigation revealed that the physical therapist had inappropriately accessed patient PHI and copied data on December 1, and December 30, 2015.

No Social Security numbers, credit card numbers, bank account details, dates of birth, or addresses were taken, although the former employee did obtain patient names, patient ages, dates of service, amounts paid for medical services, and details of medical diagnoses, conditions, treatments, functional test outcomes, and progress information.

Please see the HIPAA Journal Privacy Policy

Patients affected by the breach had previously attended the Vail Valley Medical Center or Howard Head Sports Medicine for treatment. VVMC contacted the former employee and requested the return of the stolen data and portable storage devices. Those devices have now been recovered and certification has been obtained confirming that no data have been retained, and copies have been securely destroyed. The Office for Civil Rights and law enforcement have been notified of the HIPAA violation and privacy breach. VVMC has advised patients to exercise caution and to check Explanation of Benefits statements for any sign of fraudulent activity.

This type of HIPAA breach is not uncommon. When healthcare workers leave their employer and go to work for another healthcare provider many are tempted to take patient data with them. While it is difficult to prevent the theft of PHI, healthcare organizations can take a number of steps to reduce the risk of this happening and to ensure that any unauthorized copying of data is rapidly identified.

In an effort to prevent this type of privacy breach from occurring in the future, VVMC has implemented tools that prevent the copying of patient data to portable storage devices and new controls are being developed that will make it easier for staff to monitor for inappropriate accessing of health records by employees. VVMC has also appointed a new member of staff to act as Health Information Manager. The main responsibilities of new role are to strengthen security controls and ensure that patient information is properly safeguarded. Further training has also been provided to staff members on HIPAA Rules and policies and procedures are being updated.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.