On June 14, 2021, a former hospital employee was sentenced for wrongfully accessing and distributing her ex-boyfriend’s medical records. The former employee received probation after pleading guilty to one count of wrongfully obtaining individually identifiable health information under false pretenses.
The former employee worked at the hospital as a patient care technician and was authorized to access individually identifiable health information, but only as necessary to provide services to her patients. In the plea agreement, she admitted that on multiple occasions between April and October 2017, she used her login credentials to access her ex-boyfriend’s protected private health information even though he was not one of her patients. In September 2017 she took a picture of a medical photograph that showed one of her ex-boyfriend’s injuries and sent the picture to a third person. The third person then sent the picture to the ex-boyfriend and others on Facebook messenger along with taunting language and emojis.
The former hospital employee was sentenced to five years of probation and fined $1,000. During her probationary terms, she is restricted from employment in which she would have access to private medical information of others. In her sentencing, the judge observed that she had “weaponized” her ex-boyfriend’s private medical information.
Issue:
All healthcare workers must understand HIPAA rules and how they must safeguard protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public, while ensuring an individual’s health information remains confidential. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.
Discussion:
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates and timely response to requests from authorized individuals.
- Train all staff minimally upon hire and annually on HIPAA, PHI, and Privacy, including responding timely to requests for records. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that facility’s policies and procedures for HIPAA, PHI, privacy, and record release are being followed by all staff, and that each person demonstrates understanding and competency.
