Petersburg Medical Center announced in a press release that an employee of the organization violated the hospital’s code of conduct and HIPAA patient privacy by accessing patient medical records without cause. Details on the insider healthcare patient privacy breach are discussed.
Petersburg Medical Center: Insider Healthcare Breach
Upon learning that an employee may have been accessing protected health information (PHI) outside their duties, Petersburg Medical Center launched an investigation into the insider healthcare patient privacy breach. The investigation determined that an organization employee had been accessing the medical records of patients that the employee was not treating, and as such, violated both the hospital’s code of conduct, as well as HIPAA patient privacy law during the healthcare privacy breach.
It was also determined that, although the records were inappropriately viewed, the employee had not improperly disclosed the PHI. Petersburg Medical Center has since revoked the employee’s access to medical records, and is taking steps to prevent a similar healthcare patient privacy breach from occurring in the future.
The press release stated, “PMC deeply regrets that one of its employees acted in a manner that violates PMC rules, policies, and procedures as well as violating trust with PMC patients.” The statement also urged that PMC had trained the employee on permissible uses and disclosures of PHI, however, the employee in question violated the training.
It is unclear at this time how many patients were affected by the incident, as PMC has not made that information public, however, affected patients received breach notification letters by mail.
The Minimum Necessary Standard
By accessing patient information without cause, the employee violated the minimum necessary standard. This standard requires that PHI only be accessed to perform a specific job function. Under the minimum necessary standard, healthcare organizations are required to designate different access levels to PHI based on an employee’s job function, known as access controls.
Access and Audit Controls.
To implement access controls, healthcare organizations must provide each employee with unique login credentials to access data. By issuing login credentials to each individual employee, the organization can control which employees have access to what data. For instance, an employee only needs access to the patient files for patients that they are treating.
Additionally, utilizing unique login credentials allows an organization to implement audit controls. Audit controls allow for audit logs to be kept which track access to data, and establish regular access patterns for each employee. By implementing audit logs, insider healthcare breaches and HIPAA patient privacy violations can be detected quickly. Audit logs also enable the quick detection of data accessed by an unauthorized individuals using stolen employee login credentials.
Employee Training.
An important part of ensuring that employees adhere to HIPAA patient privacy standards, as well as their organization’s policies and procedures, is through employee training. Employee training dictates the proper uses and disclosures of PHI in accordance with the minimum necessary standard.
