The Post and Courier, the South Carolina newspaper, has released a report stating the Medical University of South Carolina (MUSC) terminated 13 employees last year for violating HIPAA Rules. The report states that the employees violated patient privacy by snooping on patient records without authorisation. The Department of Health and Human Services’ Office for Civil Rights received reports of 58 privacy violations at MUSC in 2017.
Each breach was on a small scale, and only affected only small numbers of patients. Out of the 58 breaches, 11 incidents were categorised as snooping on medical records. Other breaches were due to employee errors. These errors include unauthorised disclosures such as when the health information of a patient is accidentally sent or faxed to the wrong person.
The past five years has seen 307 breaches of protected health information (PHI) at MUSC, resulting in 30 members of staff being terminated. None of the staff fired were physicians.
The breaches will not be listed on the OCR breach portal, which only shows breaches impacting 500 or more individuals. Although HIPAA Rules stipulate that all PHI breaches must be reported, no matter how small or accidental they were, only large breaches of more than 500 records are made public and detailed on the breach portal.
The revelations were made at a recent meeting of the hospital’s board of trustees. MUSC opted for transparency, which is considered an important step in ensuring that future privacy breaches do not occur. In their statements about the issues, the medical university has made it clear what actions will be taken against employees discovered to have violated HIPAA Rules.
When questioned by the Post and Courier, one board member raised concerns that decision to terminate employees for minor privacy breaches was too severe. However, the threat of federal audits over data breaches involving employees means that such decisive and severe actions are necessary to show that the facility takes patient privacy seriously. Heavy fines can be imposed when audits reveal HIPAA Rules have not been followed.
OCR is usually focused on pursuing financial penalties for serious breaches of PHI that affect large numbers of individuals. However, to ensure that best practices are being adopted on all scales, investigations still take place for smaller breaches. Investigations of small breaches have even resulted in financial penalties for HIPAA violations by covered entities and their business associates.
In early February this year, a $3.5 million settlement between OCR and Fresenius Medical Care North America (FMCNA) was announced. FMCNA had experienced five small data breaches in a six-month period in 2012. The repeated violations of HIPAA Rules resulted in the seven figure sum fine. In 2013, Hospice of North Idaho settled with OCR for $50,000 over a breach impacting 441 patients. In 2016, OCR made it clear that it would be stepping up investigations of covered entities that had experienced small breaches of PHI.
Small breaches by employees may not affect as many individuals as high-profile hacking incidents, but nonetheless they are serious for the individuals concerned. MUSC will need to implement a training program to install the importance of patient privacy in their staff members. Following the terminations, it is made clear to employees that the hospital has a serious policies for dealing with employees for violating HIPAA Rules.