Case Study – Accessing Patient Information Without Need

      Comments Off on Case Study – Accessing Patient Information Without Need

Accessing patient information without need is a HIPAA violation no matter who the offender is. Need is defined as having a medical reason for accessing the patient’s information. If a patient is just a patient of the practice, this isn’t, in and of itself, enough reason to view the patient’s information. This is especially common in situations involving celebrities. A recent case shows how seriously this being taken concerning the privacy of medical records. Dozens of employees at Northwestern Memorial Hospital in Chicago have been fired for accessing Empire actor Jussie Smollett’s hospital records, violating both HIPAA regulations and the hospital’s own policies. 

What happened?

On January 29, 2019, Jussie Smollett alleged that he was attacked by two individuals. He was admitted into Chicago’s Northwestern Memorial Hospital emergency room for injuries he sustained.

After a police investigation, it was alleged that Mr. Smollet had staged the entire incident as a publicity stunt. He was arrested on February 21 and charged with disorderly conduct and filing a false police report.

Due to the amount of media coverage of the case, both with the initial attack and the subsequent arrest, employees of the hospital became curious and searched for Mr. Smollett’s medical records. Many of them viewed the records directly.

What was the result?

As a normal course, Northwestern Memorial Hospital reviewed its access logs for Protected Health Information (PHI). They discovered that dozens of employees had searched and accessed the records.

The hospital then took action and fired every employee who viewed the records. The exact numbers are not known and the hospital hasn’t commented on privacy grounds. However, several news agencies were reporting that as many as 60 have been fired.

Accessing patient information without need is a HIPAA violation

If a medical need has not been established, then accessing the record of a patient is a HIPAA violation.

Another similar incident occurred in 2008 when 13 employees of UCLA Medical Center were fired for viewing the medical records of Britney Spears. Ms. Spears had been hospitalized in the psychiatric unit for treatment.

Celebrity records are a temptation for staff who have access to the records. The penalties can also include jail time.

Training staff on the HIPAA regulations as well as your practice’s own policies is a good way to help mitigate this issue. In addition, logs should be kept of anyone’s access to PHI so that evidence can be obtained should it be needed.