25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access

Posted By on Feb 1, 2016

390 patients of Wayne Memorial Hospital, Honesdale, Penn., are in the process of being notified of a breach of their protected health information after it was discovered a nurse aide had accessed patient health records without authorization. The information accessed included personally identifiable information along with Social Security numbers, insurance information, and medical diagnoses.

The incident was brought to the attention of hospital managers on December 8, 2015, when a member of staff came forward and reported patient health information may have been accessed by the nurse aide.

An investigation was immediately launched, which involved a forensic review of file access attempts, to determine whether data had been inappropriately viewed. After determining restricted data had been inappropriately viewed, the nurse aide was fired and the incident was reported to law enforcement.

The former employee had received training on the HIPAA Privacy and Security Rules, and was fully aware that data access was not permitted unless necessary as part of the provision of patient care.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

According to a statement issued by Wayne Memorial Hospital, CEO David Hoff, members of staff also receive regular reminders about HIPAA Rules, with emails sent to the staff on what the hospital calls “HIPAA Tuesdays.” The emails are intended to remind members of staff about the importance of patient privacy. The emails “often detail examples of non-compliance.”

Importance of Developing a Privacy and Security Aware Culture

 

While technology can be used to alert healthcare organizations to the inappropriate accessing of patient health records, it is also important to encourage a privacy and security aware culture, and to encourage staff to report potential privacy violations anonymously without fear of reprisal.

If staff members are vigilant it may be possible to discover privacy breaches more rapidly, which can limit the harm caused as well as the number of patients affected.

While this appears to have been the case at Wayne Memorial Hospital, Hoff said further controls may be necessary to reduce the probability of similar privacy breaches occurring in the future. The hospital is now looking at software solutions that would allow inappropriate access attempts to be identified more rapidly. The hospital is also considering restricting access privileges further for specific groups of employees.

“We have been ahead of the technology curve, and I can assure you that we will do all that we can to make sure something like this does not happen again,” said Hoff.

While no evidence has been uncovered to suggest any patient health information has been used inappropriately, all affected individuals are being offered credit monitoring services for a year without charge.

Hoff says, “We take our patients’ privacy very seriously,” which has been backed up by rapidly notifying affected patients, and posting a breach notice on the WMH website.

HIPAA Breach Notification Rule and Data Breaches Impacting Fewer Than 500 Individuals

 

Under HIPAA Rules, a healthcare provider must notify the Department of Health and Human Services’ Office for Civil Rights of any breach of PHI, although only those affecting more than 500 patients need to be reported within 60 days. Smaller breaches can be reported annually. Even though there is no pressing need to notify OCR, it is good practice to issue breach reports as soon as the incident has been investigated. However, individual notices must be issued to affected individuals within 60 days, regardless of how many individuals have been affected by the breach. Individual breach notices should be issued without unreasonable delay.

A media notice is only required for breaches impacting more than 500 individuals, unless it is not possible to contact individuals affected by a data breach. In that case, a substitute individual notice can be posted on the home page of the covered entity’s website (for at least 90 days), or the notice must go in major print or broadcast media, in the area where affected patients are most likely to reside.

 

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist