Lowell General Hospital in MA has found the medical files of 769 patients have been retrieved by a worker without any genuine work reason for doing this.
By retrieving the medical files, the worker violated hospital rules and breached the secrecy of patients. Upon detection of the breach, and conclusion of the succeeding inquiry, the worker was sacked. Lowell General Hospital contended that just one individual was involved and that this wasn’t a common issue at the hospice.
Patients affected by the safety case have been informed and a breach notification has been put on the hospice website. Patients have been notified that the kinds of information retrieved by the former worker included names, medical diagnoses, dates of birth, as well as information linking to cures provided to patients.
No health insurance details, financial information, or Social Security numbers were seen by the worker, and the inquiry discovered no proof to indicate that any of the info which was retrieved has been abused.
Lowell General Hospital offers training to all workforce members, and clearly tells workers that the retrieving of medical files without a genuine reason is firmly forbidden. Although checks are carried out to make sure that workers are following hospital rules, the case has stimulated Lowell General Hospital to carry out an analysis of its security and privacy policies concerning its medical data system. Amendments will be made to make sure that any future cases of prying are identified quickly. The hospice will carry on to provide ongoing coaching to the workforce on patient secrecy.
What’s unclear is how long the worker was capable to wrongly access medical files prior to the privacy breaches were found. The quantity of patients affected by the case indicates the wrong access had been continuing for many months.
HIPAA demanded protected units and their BAs to regularly check PHI access records for illegal access. Although “regularly” is open to understanding, it’s a good best practice to carry out constant audits of access records to assist find illegal activity.
These checks can be carried out manually, even though tackles are obtainable to decrease the administrative load. Those tackles are either behavior-based or rule-based. The later needs regulations to be set which will activate warnings if they are breached, whereas behavior-based systems become conversant with usual access and activate warnings if any abnormalities are noticed. These automatic solutions can assist to notice illegal activity much more rapidly, letting quick action to be taken when workers snoop on medical files.