A recent report published in the Post and Courier revealed that the Medical University of South Carolina (MUSC) fired 13 employees last year for violating HIPAA Rules by prying on patient records. Overall, there were 58 privacy breaches in 2017 at MUSC, all of which have been made known to the Department of Health and Human Services’ Office for Civil Rights (OCR).
All of the breaches impacted only small numbers of patients. Of the 58 breaches, 11 incidents were classed as snooping on medical records. Other breaches were unauthorized disclosures such as when the private health information of a patient is mistakenly sent or faxed to the wrong individual.
Over the past five years, there have been 307 breaches discovered at MUSC, leading to 30 members of non-physician staff being sacked. None of the breaches have been published on the OCR breach portal, which only shows breaches affecting 500 or more peoples. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of in excess of 500 records that are made public and are listed on the breach portal.
These event were made public at a recent meeting of the hospital’s board of trustees. MUSC opted for transparency, which is vital in preventing future privacy breaches. The medical university has made it crystal clear what steps will be taken against workers believed to have violated HIPAA Rules.
The Post and Courier revealed that one board member questioned whether the decision to fire employees for minor privacy breaches was a Draconian action; however, the threat of federal audits over data breaches involving staff has made such swift and decisive action necessary. Heavy fines can be sanctioned when audits reveal HIPAA Rules have not been complied with.
OCR may be concentrating on chasing financial penalties for serious breaches of PHI that affect large numbers of people, but that does not mean that investigations do not take place for smaller violations. There have been multiple reviews of small breaches that have resulted in financial sanctions for HIPAA violations by covered bodies and their business associates.
The most recent instance was in early February when a $3.5 million settlement between OCR and Fresenius Medical Care North America (FMCNA) was announced. FMCNA had suffered five small data breaches in a six-month period in 2012. In 2013, Hospice of North Idaho settled with OCR for $50,000 over a breach affecting 441 patients. Additionally, in 2016, OCR made it clear that it would be increasing investigations of covered entities that had experienced small breaches of PHI.
While small breaches may not be widely reported, they are serious for the people concerned, which is something MUSC makes clear in its staff training sessions. Efforts to relay the importance of privacy have also been increased, and it is made clear to staff that the hospital has a clear policy of firing employees for breaching HIPAA Rules.
It would be unfair to single out MUSC as having a poor history of privacy breaches, as many hospitals are likely to have similar record. What should be praised is the full transparency and swift and decisive steps when patient privacy is breached with malicious intent or when the privacy of patients is violated by curious staff.