Former healthcare worker was discovered to have been improperly accessing patient files through an EHR platform for 12 years. Over this time period they accessed 7,000 patients’ files without the need to do so. More details on the EHR HIPAA violation are discussed below.
Aultman Health Foundation in Ohio Insider Breach
Aultman Health Foundation in Ohio, the organization where the healthcare worker in question was employed, announced that they had fired an employee for an EHR HIPAA violation. It was recently discovered that the employee had been using their login credentials to access the protected health information (PHI) of patients that they were not involved in treating.
Although the employee had permission to view PHI as part of their job, HIPAA requires PHI to only be used or disclosed for a specific purpose. Since the employee was accessing PHI of patients they were not treating, they violated the HIPAA minimum necessary standard. PHI impermissibly accessed included names, birthdates, health insurance information, Social Security numbers, addresses, and diagnosis and treatment information.
Aultman commented on the EHR HIPAA violation stating, “Upon discovering this, the employee’s access to Aultman’s electronic health record system was suspended, and an investigation was conducted to determine the nature and scope of the incident. To help prevent something like this from happening again, Aultman has provided additional training to its system users and is implementing additional measures to protect the information of its patients.”
EHR HIPAA Violations: How to Prevent Them
Although it is unclear what specific privacy and security protections Aultman had in place, there are certain protections that every healthcare organization should implement.
User Authentication and Access Controls
To ensure adherence to the HIPAA minimum necessary standard, you must create unique login credentials for each employee (user authentication), and use those credentials to designate different levels of PHI access to employees based on their job function (access controls).
Audit Logs and Detecting Insider Breaches
Audit logs, enabled through the use of unique login credentials, tracks and logs access to sensitive data. This facilitates the quick detection of insider breaches as each employee’s regular access patterns are logged, including which employee accesses what data, and how long they accessed it for. This way, should an employee access PHI outside of their regular job function, administrators could easily identify that. For instance, if Aultman had audit logs in place, they would have quickly identified that an employee was excessively accessing patient information, instead of it taking 12 years to detect.
Employee Training and Preventing Breaches
Employee training is one of the most important aspects of HIPAA compliance and data security. Most breaches occur as the result of human error, and as such, it is imperative to the security of your business to train employees on HIPAA standards and cybersecurity best practices. In the case of the Aultman breach, employee training could have prevented their employee from accessing PHI without cause as they would have been trained on the proper uses and disclosures of PHI. And, although this breach was not a security incident, employees must also be trained on how to detect potential breaches so that they can be addressed quickly, minimizing the scope of the breach.
