Employee Fired for Inappropriately Accessing EHR Records

Even an ‘Internal Breach’ is a Breach According to an announcement on its website, Alabama-based DCH Health Systems fired an employee for accessing and viewing over 2,500 patient records “without a legitimate business need related to the employee’s job duties.” The notice said the breach was discovered “during a routine privacy audit.” The records that may have been accessed and viewed without authorization include names, addresses, dates of birth, Social Security numbers, dates of encounter, diagnoses, vital signs, medications, test results, and clinical/provider notes. DCH said it does not know if the information was used or further disclosed and mailed letters to patients informing them of the breach and offering identity theft/credit monitoring services to those whose health plan ID numbers may have been involved. There are lots of lessons to be learned from this incident. This is a good ‘teaching moment’ to share with your administrative and clinical managers and staff. 1. HIPAA includes a requirement for MINIMUM NECESSARY ACCESS. This means that those with authorized access to your medical records may only access records for authorized purposes, and they should only access the minimum amount of information required for the task they are completing. DCH Health Systems said the employee was fired for accessing records for unauthorized purposes. Everyone knows that HIPAA requires patient information to be kept private and not shared with friends, ...
Source: EMR and HIPAA - Category: Information Technology Authors: Tags: Ambulatory C-Suite Leadership Healthcare IT Hospital - Health System LTPAC Regulations Security and Privacy DCH Health Systems HIPAA HIPAA Audit HIPAA Breach HIPAA Breach Notification Rule HIPAA Fines HIPAA Internal Breach HIPA Source Type: blogs