Multiple Firings a Medical University of South Carolina’s Due to HIPAA Violations

by | Mar 5, 2018

A recent report published in the Post and Courier revealed that the Medical University of South Carolina (MUSC) fired 13 employees last year for violating HIPAA Rules by prying on patient records. Overall, there were 58 privacy breaches in 2017 at MUSC, all of which have been made known to the Department of Health and Human Services’ Office for Civil Rights (OCR).

All of the breaches impacted only small numbers of patients. Of the 58 breaches, 11 incidents were classed as snooping on medical records. Other breaches were unauthorized disclosures such as when the private health information of a patient is mistakenly sent or faxed to the wrong individual.

Over the past five years, there have been 307 breaches discovered at MUSC, leading to 30 members of non-physician staff being sacked. None of the breaches have been published on the OCR breach portal, which only shows breaches affecting 500 or more peoples. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of in excess of 500 records that are made public and are listed on the breach portal.

These event were made public at a recent meeting of the hospital’s board of trustees. MUSC opted for transparency, which is vital in preventing future privacy breaches. The medical university has made it crystal clear what steps will be taken against workers believed to have violated HIPAA Rules.

The Post and Courier revealed that one board member questioned whether the decision to fire employees for minor privacy breaches was a Draconian action; however, the threat of federal audits over data breaches involving staff has made such swift and decisive action necessary. Heavy fines can be sanctioned when audits reveal HIPAA Rules have not been complied with.

OCR may be concentrating on chasing financial penalties for serious breaches of PHI that affect large numbers of people, but that does not mean that investigations do not take place for smaller violations. There have been multiple reviews of small breaches that have resulted in financial sanctions for HIPAA violations by covered bodies and their business associates.

The most recent instance was in early February when a $3.5 million settlement between OCR and Fresenius Medical Care North America (FMCNA) was announced. FMCNA had suffered five small data breaches in a six-month period in 2012. In 2013, Hospice of North Idaho settled with OCR for $50,000 over a breach affecting 441 patients. Additionally, in 2016, OCR made it clear that it would be increasing investigations of covered entities that had experienced small breaches of PHI.

While small breaches may not be widely reported, they are serious for the people concerned, which is something MUSC makes clear in its staff training sessions. Efforts to relay the importance of privacy have also been increased, and it is made clear to staff that the hospital has a clear policy of firing employees for breaching HIPAA Rules.

It would be unfair to single out MUSC as having a poor history of privacy breaches, as many hospitals are likely to have similar record. What should be praised is the full transparency and swift and decisive steps when patient privacy is breached with malicious intent or when the privacy of patients is violated by curious staff.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy