Case Study – Lack of Security Awareness Training Leads to Breach

Among healthcare professionals, there is a lot of confusion about what is and is not considered a breach under HIPAA laws. For example, if a disclosure of Protected Health Information (PHI) was done by an employee on accident while performing their duties then it is not considered a breach. But the key is that the employee must have had the proper training. This includes security awareness training and training on HIPAA procedures. Training is mandated under HIPAA regulations. Recently, the Department of Health and Human Services began to grade the quality of the training entities implemented. In this week’s case study, we see how providing training prevented one entity from an expensive investigation and possible lawsuits.

What happened?

Sue Kalina of Butler, Pennsylvania accessed 111 records of patients that she had no medical need to access, a HIPAA violation. In addition, she disclosed the PHI of four individuals to others who had no medical need to access it.

She was working as a patient care coordinator for Tri Rivers Musculoskeletal (TRM), an affiliate of the University of Pittsburg Medical Center (UPMC). She accessed the records of friends, former classmates, and people she had taken an issue with. This started in March 2016 and continued until June 2017.

In one especially serious case, she accessed the records of an employee of her former employer, Frank J. Zattola Construction. Ms. Kalina had worked for the company for 24 years before being replaced by a younger lady. Ms. Kalina accessed the personal medical records of this replacement employee and then sent an email and left a voice mail to the company disclosing the employee’s gynecological information.

What was the result?

Zottola contacted UPMC to complain about the release of the employee’s information. UPMC initiated its own investigation, which after being completed, Ms. Kalina was terminated. The US Attorney’s Office filed charges against her and she was convicted and sentenced to one year in jail. US District Judge Arthur Schwab chose a sentence at the upper end of what is allowed because of the seriousness of the crime. At her sentencing, Ms. Kelina claimed she didn’t know it was a crime to access the records. However, It was pointed out that she had received HIPAA training along with security awareness training as part of her duties at UPMC. This fact put all culpability squarely on Ms. Kalina. Since UPMC had provided her with the mandated training, they were not held liable in the incident.

How security awareness training protects your practice

In this case, UPMC did what they were required to do: provide the HIPAA mandated training to its employees. UPMC has a documented training program that its employees must complete once they have been hired. The training is documented so ensure that UPMC has evidence that the employees did, in fact, complete the training. This documentation was used in the trial of Ms. Kinala.

All Covered Entities and Business Associates are required to provide training to their employees under HIPAA regulations.   Not only does this training help your employees to keep away hackers, but it also protects you from liability later. It is critical that you document all the training that you provide. This case shows that clearly.

It is also necessary to provide training more than once per year. There are always new threats, such as phishing and ransomware, that employees need to be kept up to date on. These are ever-changing and training one time won’t cover it.

Training offers many benefits to your practice that go beyond HIPAA compliance. It empowers your employees so that they can help protect your practice from attacks. But it also makes sure that if one of them ever were to do something they shouldn’t, that you did what you were required to do to educate them. This could really save you from an expensive situation down the road.