Case Study – Unauthorized Access to Patient Records

      Comments Off on Case Study – Unauthorized Access to Patient Records

Small practices have a hard time managing their HIPAA compliance. There is a hidden threat that most don’t address. It is the unauthorized access to patient records and it is the HIPAA violation that most often goes unnoticed by practices. This is where an employee views the charts of patients that they have no medical need to access. Perhaps they want to view the records of their friends or family or an ex-lover. Regardless of the reason, if there is no medical need, it is a HIPAA violation. This often happens in the case of high profile patients but regardless of the patient’s status, it’s still a violation. In this week’s case study, we see where an individual viewed more than 2000 records without a need that led to a HIPAA breach.

What happened?

Franciscan Health (FH), a Mishawaka, Indiana medical facility, discovered that an employee had accessed the confidential records of 2,180 patients. Once discovered, FH terminated the employee and filed a breach report with OCR.

What was the result?

The former employee viewed the around 2,200 records of patients. At this time, it doesn’t appear that the former employee copied, send or disclosed any of the patient data that they viewed. It appears from the investigation, that this person was able to view the Social Security number, contact information, diagnoses, treatment information, prescriptions, all contact and insurance information, and laboratory results.

FH sent all of the patients impacted by the breach notification as well as an offer for two years of free identity theft protection.

How can you prevent unauthorized access to patient records?

Most EMR systems have a logging system that shows who accesses what in the system. It is important for office management to review these logs from time to time to ensure that employees aren’t accessing the records they have no reason to do. This is the best way to protect from this threat.

In addition, practices should provide training to their staff on this issue. It is important that staff members understand how serious this issue is and what the possible ramifications are for violations.