Patient Record Snoopers PunishedCarilion Clinic Fires or Disciplines 14 Workers for Inappropriate Access
Carilion Clinic., a Roanoke, Va.-based non-profit network of hospitals and outpatient facilities, has fired or disciplined 14 employees over a problem common at many healthcare organizations: patient record snooping.
See Also: IoT is Happening Now: Are You Prepared?
In the wake of a recent "high profile case" in the region, 14 employees were found to have accessed patient medical records without a legitimate patient-care need, says Vicki Clevenger, vice president and chief compliance officer at Carilion, in a statement to Information Security Media Group.
"Based on the findings of our internal investigation, appropriate actions have been taken with each employee, up to and including termination," she says. Eleven of the employees were based in the New River Valley region of Virginia, while three were based in the organization's facilities in Roanoke, she says.
A Carilion Clinic spokesman tells ISMG: "Out or respect for the privacy of our employees and former employees, I can't provide any specifics on how many were terminated, how many were reprimanded, what positions, etc." The clinic also declined to identify the patient whose records were violated.
A Common Problem
Record snooping is a common problem for many hospitals and other healthcare organizations. And when snooping is discovered, the consequences vary widely.
In addition to firings, "discipline may include a warning, retraining or suspension," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "HIPAA requires that a covered entity impose a sanction on any workforce member who violates privacy or security policies, but provides the covered entity with wide latitude to determine the appropriate level of sanction."
Some healthcare providers institute a progressive system, with the level of sanctions increasing for multiple violations or for particularly egregious violations, Greene notes. "Some healthcare entities employ more of a zero-tolerance approach, terminating any workforce member who violates a privacy or security policy," he adds.
Many other organizations have terminated record-snooping employees. Among those is Allina Hospitals and Clinics, a Minnesota health delivery system. In 2011, the organization fired 32 employees for inappropriately looking at the electronic health records of patients involved in a mass drug overdose case (see Allina Fires 32 for Records Snooping).
There have also been several notable incidents involving the firing of healthcare workers who snooped on the medical records of celebrities. For instance, in July 2013, Cedars-Sinai Medical Center in Los Angeles fired five employees and a student research assistant for inappropriately accessing 14 patient records during a one-week period in June. Just a few days before the inappropriate access, reality T.V. celebrity Kim Kardashian gave birth to a baby daughter at the hospital. The medical center didn't confirm whether it was Kardashian's records that were breached, though that was widely suspected in the gossip circles at the time.
And at least one celebrity record-snooping incident has resulted in penalties imposed by the Department of Health and Human Services' Office for Civil Rights, which oversees enforcement of HIPAA.
In 2013, UCLA Health System entered a resolution agreement with OCR, which included a $865,500 payment and a corrective action plan aimed at remedying gaps in its compliance with HIPAA rules. At the heart of that investigation, which was launched in 2009, were complaints filed on behalf of two celebrity patients who alleged that UCLA employees repeatedly viewed their electronic protected health information, as well as those of other patients, without permission.
Assessing the Risks
Inappropriate record access by employees leads to widely varying levels of risk, says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"I categorize them in three ways - from bad to worst. First, there are people who are 'checking on Aunt Sally.' This isn't malicious, but is not permitted," he says. Those incidents are usually addressed by healthcare entities through training and sanctions, he notes.
The second common type inappropriate access, "is the worker snooping on an ex-girlfriend or former boss or someone like that," he says. Those incidents are "bad, often malicious, harder to catch - because you have no way to single out the records in advance, as you do with celebrities - where flags are often put on the records or access is restricted more than usual," he says. Firing is often appropriate in those cases, he says.
Third are the incidents involving celebrities or others in the news. "These happen regularly. Employees need to be trained that they cannot [access their records], and that they will be caught and fired if they do it," he says. "And if they do something beyond 'curiosity,' for example selling a story to the media - they may get prosecuted as well."
Healthcare organizations must have an appropriate means of policing inappropriate access, Nahra stresses. "This requires monitoring and audit checking. Every facility needs to be thinking about these issues because they happen regularly. "
Greene suggests organizations regularly review audit logs manually - choosing a random selection - and through algorithms that may detect suspicious patterns - such as an unusually large number of people accessing a file.
"VIPs ... may warrant more targeted review," he says. Some healthcare organizations, however, also pay special attention to monitoring access to health records of employees. "I have heard of at least one healthcare organization that provides that any employee who is admitted as a patient will be given a list of all persons who accessed the patient's records, deterring co-workers from snooping into the record," Greene says.
Becky Hood, CIO of Everett Clinic, a multi-specialty physician practice in Everett, Wash., says her organization uses a monitoring system from FairWarning to help red-flag inappropriate record access.
Not long after the system was rolled out at Everett Clinic, 13 staff members and physicians were fired due to a various incidents involving inappropriate record access, she says. "Our policy leans toward no-tolerance [of record snooping], but we'll investigate each situation to determine if the incident was malicious, accidental or if a staff member didn't understand [the rules]," she says.
As for Carilion Clinic, the organization typically finds out about patient privacy concerns in two primary ways, Clevenger says. "Individuals may raise specific concerns, or Carilion may proactively monitor a high-profile patient's medical record."
As part of its patient privacy and security efforts, Carilion Clinic says it provides ongoing education to employees regarding privacy rules and regulations and monitors their access to patient records. When potential issues are discovered, Carilion Clinic launches an immediate investigation.