March 7, 2018
A fresh report circulated in the Post and Courier disclosed that the Medical University of South Carolina (MUSC) sacked 13 workers last year for violating HIPAA Laws by prying on patient records. On the whole, there were 58 secrecy breaches in 2017 at MUSC, all of which have been made known to the Division of Health and Human Services’ OCR.
All of the breaches impacted just small numbers of patients. Of the 58 breaches, 11 occurrences were categorized as prying on medical files. Other breaches were illegal disclosures like when the PHI of a patient is erroneously sent or faxed to the wrong person.
Over the past 5 years, there have been 307 breaches found at MUSC, resulting in 30 members of non-physician staff being fired. None of the breaches have been published on the OCR breach portal, which only demonstrates breaches affecting 500 or more peoples. According to HIPAA Laws, all PHI breaches should be informed, even though it is only big breaches of more than 500 files that are made public and are recorded on the breach portal.
These events were made public at the latest meeting of the hospital’s board of trustees. MUSC decided for transparency, which is crucial in avoiding future secrecy breaches. The medical university has made it crystal clear what measures will be taken against employees supposed to have violated HIPAA Laws.
The Post and Courier disclosed that one board member asked whether the decision to sack workers for minor secrecy breaches was a Draconian action; however, the danger of federal audits over data breaches involving staff has made such prompt and crucial action necessary. Heavy penalties can be approved when audits disclose HIPAA Laws have not been complied with.
OCR might be thinking of chasing financial penalties for grave breaches of PHI that affect big numbers of people, but that doesn’t mean that inquiries don’t happen for smaller violations. There have been several reviews of small breaches that have led to financial sanctions for HIPAA violations by protected organizations and their business associates.
The most recent occurrence was in early February when a $3.5 million settlement between OCR and Fresenius Medical Care North America (FMCNA) was declared. FMCNA had experienced 5 small data breaches in a six-month period in 2012. In 2013, Hospice of North Idaho resolved with OCR for $50,000 over a breach affecting 441 patients. Moreover, in 2016, OCR made it clear that it would be enhancing probes of protected units that had experienced small breaches of PHI.
Although small breaches might not be generally reported, they are grave for the people concerned, which is something MUSC makes clear in its staff teaching sessions. Efforts to convey the significance of secrecy have also been enhanced, and it is made clear to staff that the hospital has a clear policy of sacking workers for breaching HIPAA Laws.
It would be unjust to single out MUSC as having a poor history of secrecy breaches because several hospitals are likely to have a similar record. What must be admired is the complete transparency and rapid and decisive steps when patient secrecy is breached with the hateful intention or when the secrecy of patients is violated by curious staff.