May 9, 2011 | Comments Off on Hospitals Fire Employees Over Privacy Violation
Posted by Sharlene Hunt
The StarTribune in Minneapolis St. Paul has reported that two related hospitals in Minnesota fired 32 employees for violating patient privacy when they accessed medical records of patients hospitalized as the result of a massive drug overdose at a party in the area. According to the news story, because the drug overdose story was so high profile, the hospitals conducted an investigation to determine whether employees had wrongfully accessed the electronic hospital records of the patients involved in the case. Thirty-two employees were found to have accessed records without permission. Although the employees held positions in which they accessed electronic medical records as part of their job duties, they were not authorized to do so with respect to these particular patients. The hospitals fired all 32 employees under their “zero tolerance” policy.
We have previously commented on the importance of health care providers having in place safeguards to protect patient information under the Health Insurance Portability and Accountability Act (“HIPAA”). Health care providers have an obligation to enforce their policies, which may include taking disciplinary action, up to and including termination, against employees who access records inappropriately. Idle curiosity is not a legitimate reason to access a medical record. With electronic health records, it will be easier to determine who has accessed a record and whether that access was job related.
A violation of the HIPAA privacy laws can result in the filing of a complaint with the federal Office of Civil Rights (OCR). The OCR can then decide whether to investigate the complaint and if it finds that a violation occurred, the OCR has the authority to impose civil monetary penalties or refer the matter to the Department of Justice for criminal prosecution. Thus, this issue must be treated very seriously by health care providers, and appropriate action taken to protect patient privacy.