A hospital in New York has fired several employees following a security breach.
Claxton-Hepburn Medical Center, a not-for-profit 115-bed community hospital in Ogdensburg, NY, announced that several employees accessed patient protected health information (PHI) without proper authorisation to do so. This violates the Health Insurance Portability and Account Act (HIPAA).
Officials at the hospital discovered the mishandling of PHI during an internal investigation. The reason for the investigation remains unclear. It is possible that it started following a complaint from a patient, or that a routine HIPAA-mandated audit of PHI access logs uncovered the violations.
“Patient privacy is very important to Claxton-Hepburn Medical Center,” said hospital spokeswoman Laura Shea. “Our employees cannot provide care without having access to patient information, but Claxton-Hepburn maintains detailed policies, procedures and safeguards relating to privacy and security of patient information and all employees are required to comply with those standards.”
“Beginning the day an employee is hired, they receive education on the requirement to protect a patient’s personal health information,” Ms Shea said in a statement. “Additionally, employees receive ongoing training on the requirements of HIPAA (the Health Insurance Portability and Accountability Act of 1996) and our policies and procedures and Claxton-Hepburn monitors compliance with those standards through random audits.”
HIPAA’s Privacy Rule requires that all employees know that patient information should only be accessed if the PHI is needed for work duties or when patient records need to be updated. The employees involved in this data breach had no legitimate reason to access the PHI and thus violated HIPAA. Healthcare facilities must inform employees that accessing patient information without authorisation results in disciplinary actions.
In response to the breach, Claxton-Hepburn Medical Center has implemented further safeguards to reduce the likelihood of future HIPAA violations of this nature occurring. Following HIPAA’s Breach Notification Rule, breach notification letters were sent to all patients affected by the breach.
Claxton-Hepburn Medical Center has stated that the police were not involved in the breach and matters were handled internally.