Criminal Investigation for Alleged HIPAA Violations
A former employee of ACM Global Laboratories, part of Rochester Regional Health, is being accused of continuously accessing a co-worker’s protected health information (PHI) without authorization. Kristina Ciaccia, the victim of the potential HIPAA violation, claims that Jessica Meier accessed her medical records hundreds of times over the course of two years. Ciaccia believes that her records were accessed in the hopes of finding embarrassing information to be used against her in an ongoing child custody battle.
Meier is currently under investigation for 215 counts of misdemeanor unauthorized use of a computer and 215 counts of felony computer trespass. In her arraignment in Gates town court, she pleaded not guilty. Her case will be heard in front of a grand jury.
“I want to make sure she is held accountable but, Rochester Regional has a liability here too. I mean… Over two years? Several other people are now involved in my family? That’s not fair to me. That’s not fair to them. It should have been stopped way before it got to this level,” stated Ciaccia.
Prosecutors claim that Meier used the access she was granted for her job at ACM Global Laboratory to not only view Ciaccia’s PHI, but also Ciccica’s family’s records.
When the Department of Health and Human Services (HHS) was contacted about the incident, representative Rachel Seeger replied that, “Generally, the HHS Office for Civil Rights (OCR) does not comment on open or potential investigations” – which makes it likely that the HHS is also investigating the potential HIPAA violation.
How Could the Alleged HIPAA Violation Been Avoided?
The Health Insurance Portability and Accountability Act (HIPAA) requires administrative safeguards to be put in place to secure protected health information.
The following administrative controls could have prevented the alleged HIPAA violation, or at the very least, led to faster detection of unauthorized access to PHI:
Policies and Procedures: dictate the permitted uses and disclosures of PHI. Employees must adhere to the minimum necessary standards, only accessing the PHI they need to perform a specific job function. Accessing PHI without cause, even for employees who are generally authorized to access PHI, is considered a HIPAA violation.
Employee Training: this is an essential component of HIPAA compliance. If employees fail to understand how they are permitted to use and disclose PHI, they can violate HIPAA. Although Ciaccia stated that, “You get trained in a medical field. I worked in the medical field before. She violated HIPAA. She violated every policy under that job. They’re well aware of. There’s a class on it,” the organization either failed to adequately train employees, or Meier allegedly ignored her training.
Unique Login Credentials: enable organizations to track access to PHI and designate different levels of access to PHI based on an employee’s job function. ACM Global Laboratories likely had this in place, as they were able to identify that the Meier was accessing Ciaccia’s PHI.
Access Controls: enabled by unique login credentials, allow organizations to designate levels of access to PHI based on an employee’s job function.
Audit Logs: enabled by unique login credentials and access controls, audit logs track access to PHI. Unique login credentials allow organizations to track who is accessing what PHI, how long they access it, and how frequently it is accessed. Audit logs establish normal access patterns for each employee so that inside threats to PHI can be quickly detected. Again, it is likely that ACM Global Laboratories had audit logs in place as Ciaccia received an audit from Rochester Regional Health in September. However, it is also likely that audit logs were not monitored closely as the alleged unauthorized access continued over a period of two years.
Sanctions: requires organizations to apply appropriate sanctions against workforce members who fail to comply with policies and procedures of the covered entity or business associate. An organization that does not know it is supposed to have a sanctions policy cannot plead ignorance as an excuse.