A not-for-profit medical center has reported a breach of patient health information. Sutter Health of Northern California discovered an employee had inappropriately accessed patient records while employed at the medical center. The Sutter Health HIPAA breach involved hundreds of patients.
On October 10, 2014, Sutter Health conducted one of its regular security audits and discovered that 14 patients had had their records accessed by a particular employee, who had no apparent reason to view those records. However, in the investigation that followed the problem was found to be much more serious. In total, 844 patient records had been accessed over the course of a year, with the first incident taking place in October 2013.
Sutter Health HIPAA breach was recently announced. The healthcare provider explained the extent of the security breach and the data that had been improperly accessed. The medical records accessed by the employee included “patient demographics, last four digits of social security number, clinical information including diagnosis and clinical notes, and prescription information.”
Sutter Health pointed out that the risk of identity or medical fraud is low. They determined during the course of their investigations that the employee was not viewing records with any criminal or malicious intent, and was only viewing the data out of curiosity. There is not believed to be any further risk of unauthorized accessing of medical records as the employee in question is no longer employed by Sutter Health. Breach notification letters have now been sent to all affected individuals alerting them to the HIPAA breach.
Employee snooping is a problem faced by all healthcare providers and it is a difficult cause of HIPAA breaches to totally eliminate. One of the best methods is the provision of training on HIPAA Rules and regulations, in particular they should cover the Privacy Rule, accessing of healthcare data and disclosure, including the penalties for doing so. Refresher training courses should be conducted regularly and HIPAA and data security announcements should be posted on notice boards and sent in staff bulletins to help keep HIPAA Rules fresh in the mind.
It is also important to conduct regular internal security audits to check for inappropriate accessing of medical records by the staff, as well as to look for signals that hackers may have infiltrated a network. All access attempts must be logged and these should be regularly audited. The Sutter Health HIPAA breach went on for a year unnoticed, it would appear that only one annual security audit was being conducted. Covered entities are therefore advised to check their access logs much more frequently to ensure that prompt action can be taken against employees that violate HIPAA privacy rules.