Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access
390 patients of Wayne Memorial Hospital, Honesdale, Penn., are in the process of being notified of a breach of their protected health information after it was discovered a nurse aide had accessed patient health records without authorization. The information accessed included personally identifiable information along with Social Security numbers, insurance information, and medical diagnoses.
The incident was brought to the attention of hospital managers on December 8, 2015, when a member of staff came forward and reported patient health information may have been accessed by the nurse aide.
An investigation was immediately launched, which involved a forensic review of file access attempts, to determine whether data had been inappropriately viewed. After determining restricted data had been inappropriately viewed, the nurse aide was fired and the incident was reported to law enforcement.
The former employee had received training on the HIPAA Privacy and Security Rules, and was fully aware that data access was not permitted unless necessary as part of the provision of patient care.
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
According to a statement issued by Wayne Memorial Hospital, CEO David Hoff, members of staff also receive regular reminders about HIPAA Rules, with emails sent to the staff on what the hospital calls “HIPAA Tuesdays.” The emails are intended to remind members of staff about the importance of patient privacy. The emails “often detail examples of non-compliance.”
Importance of Developing a Privacy and Security Aware Culture
While technology can be used to alert healthcare organizations to the inappropriate accessing of patient health records, it is also important to encourage a privacy and security aware culture, and to encourage staff to report potential privacy violations anonymously without fear of reprisal.
If staff members are vigilant it may be possible to discover privacy breaches more rapidly, which can limit the harm caused as well as the number of patients affected.
While this appears to have been the case at Wayne Memorial Hospital, Hoff said further controls may be necessary to reduce the probability of similar privacy breaches occurring in the future. The hospital is now looking at software solutions that would allow inappropriate access attempts to be identified more rapidly. The hospital is also considering restricting access privileges further for specific groups of employees.
“We have been ahead of the technology curve, and I can assure you that we will do all that we can to make sure something like this does not happen again,” said Hoff.
While no evidence has been uncovered to suggest any patient health information has been used inappropriately, all affected individuals are being offered credit monitoring services for a year without charge.
Hoff says, “We take our patients’ privacy very seriously,” which has been backed up by rapidly notifying affected patients, and posting a breach notice on the WMH website.
HIPAA Breach Notification Rule and Data Breaches Impacting Fewer Than 500 Individuals
Under HIPAA Rules, a healthcare provider must notify the Department of Health and Human Services’ Office for Civil Rights of any breach of PHI, although only those affecting more than 500 patients need to be reported within 60 days. Smaller breaches can be reported annually. Even though there is no pressing need to notify OCR, it is good practice to issue breach reports as soon as the incident has been investigated. However, individual notices must be issued to affected individuals within 60 days, regardless of how many individuals have been affected by the breach. Individual breach notices should be issued without unreasonable delay.
A media notice is only required for breaches impacting more than 500 individuals, unless it is not possible to contact individuals affected by a data breach. In that case, a substitute individual notice can be posted on the home page of the covered entity’s website (for at least 90 days), or the notice must go in major print or broadcast media, in the area where affected patients are most likely to reside.