Kaiser Permanente, the California-based American healthcare giant, is one of America’s largest not-for-profit health plans. Kaiser serves over 12 million patients across the country. Recently, Kaiser reported an incident of unauthorized access to PHI to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). An imaging technician had accessed protected health information (PHI) that fell outside the scope of the employee’s job role. The employee was initially placed on administrative leave, and was then fired.
Why Was the Employee Placed on Administrative Leave?
In 2012, a Kaiser Permanente imaging technician started accessing the electronic medical records of Kaiser patients. The technician’s job role did not require that the technician be given access to these records. The unauthorized access continued for a period of 8 years. In total, the technician improperly accessed the records of over 2,700 patients.
Kaiser did not discover this privacy breach until late March of 2020. When Kaiser discovered the breach, it placed the employee on administrative leave, per the organization’s sanctions policy. Kaiser then conducted an internal investigation. The investigation revealed that the access fell outside of the employee’s job functions. While the investigation did not reveal any evidence suggesting the patient information was copied, or used to commit fraud or a crime, Kaiser has notified all affected individuals by mail. After the investigation, the employee who was on administrative leave, was terminated.
On May 22, 2020, Kaiser filed a breach report through the Office for Civil Rights’ Breach Portal.
The report indicates that the breach occurred in Maryland, and that 2,756 patients have been affected. HHS is now investigating the breach.
The HIPAA Breach Notification Rule requires that covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities can provide this notification in the form of a press release to appropriate media outlets serving the affected area. Media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. The media notification must include the same information required for the individual notice.
What are the Consequences of Unauthorized PHI Disclosures?
Previously, HHS has fined organizations for unauthorized use and disclosure of PHI and ePHI. In 2017, Texas-based Memorial Hermann Health System paid OCR $2.4 to settle potential HIPAA violations, after it was revealed that senior management had approved the impermissible disclosure of PHI by adding the patient’s name to the title of a press release.