HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access

390 patients of Wayne Memorial Hospital, Honesdale, Penn., are in the process of being notified of a breach of their protected health information after it was discovered a nurse aide had accessed patient health records without authorization. The information accessed included personally identifiable information along with Social Security numbers, insurance information, and medical diagnoses.

The incident was brought to the attention of hospital managers on December 8, 2015, when a member of staff came forward and reported patient health information may have been accessed by the nurse aide.

An investigation was immediately launched, which involved a forensic review of file access attempts, to determine whether data had been inappropriately viewed. After determining restricted data had been inappropriately viewed, the nurse aide was fired and the incident was reported to law enforcement.

The former employee had received training on the HIPAA Privacy and Security Rules, and was fully aware that data access was not permitted unless necessary as part of the provision of patient care.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

According to a statement issued by Wayne Memorial Hospital, CEO David Hoff, members of staff also receive regular reminders about HIPAA Rules, with emails sent to the staff on what the hospital calls “HIPAA Tuesdays.” The emails are intended to remind members of staff about the importance of patient privacy. The emails “often detail examples of non-compliance.”

Importance of Developing a Privacy and Security Aware Culture


While technology can be used to alert healthcare organizations to the inappropriate accessing of patient health records, it is also important to encourage a privacy and security aware culture, and to encourage staff to report potential privacy violations anonymously without fear of reprisal.

If staff members are vigilant it may be possible to discover privacy breaches more rapidly, which can limit the harm caused as well as the number of patients affected.

While this appears to have been the case at Wayne Memorial Hospital, Hoff said further controls may be necessary to reduce the probability of similar privacy breaches occurring in the future. The hospital is now looking at software solutions that would allow inappropriate access attempts to be identified more rapidly. The hospital is also considering restricting access privileges further for specific groups of employees.

“We have been ahead of the technology curve, and I can assure you that we will do all that we can to make sure something like this does not happen again,” said Hoff.

While no evidence has been uncovered to suggest any patient health information has been used inappropriately, all affected individuals are being offered credit monitoring services for a year without charge.

Hoff says, “We take our patients’ privacy very seriously,” which has been backed up by rapidly notifying affected patients, and posting a breach notice on the WMH website.

HIPAA Breach Notification Rule and Data Breaches Impacting Fewer Than 500 Individuals


Under HIPAA Rules, a healthcare provider must notify the Department of Health and Human Services’ Office for Civil Rights of any breach of PHI, although only those affecting more than 500 patients need to be reported within 60 days. Smaller breaches can be reported annually. Even though there is no pressing need to notify OCR, it is good practice to issue breach reports as soon as the incident has been investigated. However, individual notices must be issued to affected individuals within 60 days, regardless of how many individuals have been affected by the breach. Individual breach notices should be issued without unreasonable delay.

A media notice is only required for breaches impacting more than 500 individuals, unless it is not possible to contact individuals affected by a data breach. In that case, a substitute individual notice can be posted on the home page of the covered entity’s website (for at least 90 days), or the notice must go in major print or broadcast media, in the area where affected patients are most likely to reside.


Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.