A recently discovered Mecklenbury County HIPAA violation has infuriated county officials. An investigation has now been conducted to determine how HIPAA Rules were so easily violated.
The incident was discovered on Monday this week. A member of the Mecklenburg County staff received a freedom of information request from the media who were investigating how 185 female patients were not informed about abnormal PAP smear results.
While information should have been provided as requested, a member of staff accidentally sent the media a spreadsheet containing the protected health information of more than 1,200 health department patients. The spreadsheet had been compiled for state officials who were conducting an audit. Two media outlets received the spreadsheet.
The error was made by a staff member who was responding to another Mecklenburg County HIPAA violation. The name of an individual was accidentally sent to the media earlier in the month.
The latest Mecklenburg County HIPAA violation could prove incredibly costly. Not only can incidents such as this destroy patients’ confidence that their health information will remain private and confidential, large fines await organizations that violate HIPAA Rules. The Department of Health and Human Services’ Office for Civil Rights can fine organizations $100 to $50,000 per violation up to a maximum of $1,500,000 per violation category, per year.
If inadequate policies were in place to protect the privacy of health department placements, and that was the case for a number of years, multi-million dollar fines can be issued.
Polices should exist for dealing with information requests with a failsafe to ensure that a mistake by a single member of staff does not result in a major privacy violation. In the case of freedom of information requests, they can be handled by a single member of staff, but any response to those requests should be checked by a supervisor or an attorney.
To prevent future incidents of this nature from occurring, all information requests will now be checked by two employees prior to information being emailed outside the organization. This is a stop-gap measure. Further policy changes are under discussion. Mecklenbury County officials have also banned employees from adding the protected health information of department of health patients from being added to spreadsheets.