Jackie Drees for Becker’s Hospital Review
Eleven hospitals and health systems reported instances of EHR snooping by their employees this year, resulting in terminations and other disciplinary actions.
HHS’ HIPAA privacy and security rules require hospitals and health systems to invoke sanctions against staff members who violate privacy and security policies such as EHR snooping. However, the office leaves the responsibility of implementing appropriate punishment up to the healthcare organizations, whether that is termination or another disciplinary action.
Here are 11 hospitals and health systems that reported patient record breaches by employees wrongfully viewing medical records in 2020, as reported by Becker’s Hospital Review:
1. Lisa Roland, a former patient at Huntsville (Ala.) Hospital, in March claimed an employee improperly viewed her medical records. Ms. Roland alleged an insurance auditor employed by Huntsville Hospital unnecessarily accessed her files and that since the incident, her information is being leaked. Huntsville Hospital confirmed to Ms. Roland in a letter that her information was accessed without a business-related purpose.
2. Valencia, Calif.-based Henry Mayo Newhall Hospital fired several employees in March after wrongfully viewing the information of the suspected Saugus High School shooter, Nathaniel Tennosuke Berhow, who died at the hospital after allegedly shooting and killing two classmates and injuring three others.
3. Honolulu-based Hawaii Pacific Health fired an employee in March after discovering the employee had inappropriately accessed patient medical records between November 2014 and January 2020.
4. Mercy Health terminated a nurse at its Hackley Hospital in Muskegon, Mich., April 3 for inappropriately viewing medical records of several patients.
5. Ann and Robert Lurie Children’s Hospital of Chicago reported May 4 that an employee viewed more than 4,800 patient medical records without a work-related reason between Nov. 1, 2018, and Feb. 29, 2020. After discovering the incident and launching an investigation, the hospital terminated the employee’s access to its information systems on March 5 and confirmed in its May 4 notice that the employee no longer worked for the hospital.
6. Kaiser Foundation Health Plan of the Mid-Atlantic States terminated an employee who inappropriately accessed members’ radiology records from 2012 to 2020. The health system reported the breach to HHS May 22 as affecting 2,756 individuals.
7. Hennepin Healthcare terminated five employees in July for inappropriately viewing the medical records of “a high profile patient” after George Floyd was taken to the Minneapolis-based hospital in May after dying in police custody.
8. Ashley County Medical Center in Crossett, Ark., fired a former nurse in August for viewing 772 patients’ records for reasons unrelated to medical care and treatment.
9. Montefiore Medical Center in New York City posted a security breach notice Sept. 18 stating that a former employee had recently stolen about 4,000 patients’ personal information, including names, addresses and Social Security numbers, between January 2018 and July 2020.
10. Geisinger began notifying more than 700 patients Sept. 18 that one of the Danville, Pa.-based health system’s former employees inappropriately accessed their medical records from June 2019-20.
11. Rochester, Minn.-based Mayo Clinic on Oct. 5 notified more than 1,600 patients that a former employee wrongly viewed their health records, which stored information including demographic information, birth dates, medical record numbers, clinical notes and medical images.