HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Vanderbilt University Medical Center Employees Inappropriately Accessed 3,000 Patients’ PHI

Two employees of Vanderbilt University Medical Center have been discovered to have inappropriately accessed the medical records of more than 3,000 patients.

The inappropriate ePHI access was discovered during a routine audit of access logs: A requirement of the Health Insurance Portability and Accountability Act (HIPAA).

While the HIPAA Security Rule requires audit logs to be regularly reviewed by HIPAA-covered entities, in this case the inappropriate accessing of ePHI continued for 19 months before it was detected.

Vanderbilt University Medical Center first became aware of inappropriate ePHI access on December 27, 2016, prompting a full audit of access logs.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

That audit revealed that two patient transporters at the medical center had viewed more information than was necessary in order for them to perform their work duties. The employees were required to move patients between treatment rooms and hospital floors. The pair were discovered to have first started viewing patients protected health information in May 2015. Medical records of patients continued to be accessed until December 2016.

The types of information accessed included patients’ names, medical record IDs, and birth dates. According to a press release from VUMC, one individual was also able to view some patients’ Social Security numbers. While patients’ electronic medical records were accessed, VUMC does not believe that any information has been copied or misused. VUMC has not said why patients’ health information was viewed by the employees, although the individuals concerned have been disciplined for their actions.

Patients are not believed to be at any elevated risk of suffering identity theft or fraud as a result of the privacy breaches. However, as a precaution, VUMC said “we are contacting each of them by letter to recommend that they vigilantly review account statements and their credit status.” Any patient whose Social Security number has been viewed is being provided with credit monitoring services via Experian Family Secure “out of an abundance of caution.”

In response to the breach, Vanderbilt University Medical Center has changed policies and procedures relating to how patient transporters are provided with patients’ health information. Any PHI needed for patient transporters to conduct their work duties will now be provided on paper. Access to its medical record system will no longer be provided. Patient transporters have also received further training relating to the accessing of patient health information.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.