Former healthcare worker was discovered to have been improperly accessing patient files through an EHR platform for 12 years. Over this time period they accessed 7,000 patients’ files without the need to do so. More details on the EHR HIPAA violation are discussed below.

Aultman Health Foundation in Ohio Insider Breach

EHR HIPAA Violation

Aultman Health Foundation in Ohio, the organization where the healthcare worker in question was employed, announced that they had fired an employee for an EHR HIPAA violation. It was recently discovered that the employee had been using their login credentials to access the protected health information (PHI) of patients that they were not involved in treating.

Although the employee had permission to view PHI as part of their job, HIPAA requires PHI to only be used or disclosed for a specific purpose. Since the employee was accessing PHI of patients they were not treating, they violated the HIPAA minimum necessary standard. PHI impermissibly accessed included names, birthdates, health insurance information, Social Security numbers, addresses, and diagnosis and treatment information.

Aultman commented on the EHR HIPAA violation stating, “Upon discovering this, the employee’s access to Aultman’s electronic health record system was suspended, and an investigation was conducted to determine the nature and scope of the incident. To help prevent something like this from happening again, Aultman has provided additional training to its system users and is implementing additional measures to protect the information of its patients.”

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

EHR HIPAA Violations: How to Prevent Them

Although it is unclear what specific privacy and security protections Aultman had in place, there are certain protections that every healthcare organization should implement.

User Authentication and Access Controls

To ensure adherence to the HIPAA minimum necessary standard, you must create unique login credentials for each employee (user authentication), and use those credentials to designate different levels of PHI access to employees based on their job function (access controls).

Audit Logs and Detecting Insider Breaches

Audit logs, enabled through the use of unique login credentials, tracks and logs access to sensitive data. This facilitates the quick detection of insider breaches as each employee’s regular access patterns are logged, including which employee accesses what data, and how long they accessed it for. This way, should an employee access PHI outside of their regular job function, administrators could easily identify that. For instance, if Aultman had audit logs in place, they would have quickly identified that an employee was excessively accessing patient information, instead of it t