Claxton-Hepburn Medical Center has not publicly disclosed how many staff members were sacked in relation to the violations, only reporting that all staff members who purposely committed the acts were sacked. It is also currently unclear the exact number of patients’ PHI was exposed.
Claxton-Hepburn Medical Center has stated that training is given to all staff members on the first day of employment going through the requirements of HIPAA and the importance of safeguarding the privacy of patients. All staff members are made aware that accessing patient health information is only allowed when PHI needs to be viewed to complete work duties or when patient records need to be refreshed, as per the requirements of the HIPAA Privacy Rule. Staff members are also made aware that any unpermitted accessing of PHI will lead to disciplinary steps being applied. It would have been known by the staff members in question that their actions were not allowed under HIPAA Rules.
The identification of the privacy breaches has lead to the hospital putting in place additional security measures to minimise the chance of future HIPAA violations of this nature happening. Claxton-Hepburn Medical Center has also alerted all patients by mail whose records were inappropriately shared or viewed.
While criminal charges could be could potentially be pressed against healthcare staff members for HIPAA Privacy Rule violations, on this occasion Claxton-Hepburn Medical Center has not contacted law enforcement agencies.