Posted on November 27, 2012 by William Maruca

Another Case of Snooping Prosecuted

Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer's medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the same hospital, was frustrated by the hospital administration’s delays in responding to her complaints and notified others including the FBI, her state senator and the American Civil Liberties Union before action was taken.

The Rutland, VT Herald reports that Kathy Tatro of Bennington, VT pleaded guilty to four counts of unauthorized access to computer records in a plea bargain that imposed probation and required her to serve 160 hours of community service, which will include talking to medical employees about the importance of privacy regarding patient records. The Bennington Banner reports that Ms. Tatro was given a 6-12 month suspended sentence, 2 years probation and a $2,000 fine.

This blog has noted other instances of snooping leading to serious consequences, including the case of a UCLA researcher sentenced to prison time for reading records of celebrities and co-workers, a Texas nurse fired for unauthorized access, a California hospital fined after employees accessed Michael Jackson’s records, a New York hospital that suspended employees for accessing George Clooney's records after a motorcycle accident, and the termination of 16 hospital employees for accessing the records of an injured first-year resident.

The Vermont ACLU claims that this incident is “believed to be the most extensive breach of personal electronic medical records ever reported in Vermont.” The ACLU noted that the victim had explained in court how the system let her down.

“No investigation was begun nor any remedial action taken until she spoke up, complained, and dogged doctors, hospital administrators and trustees, state officials, federal officials, police officers, and the state’s attorney to do something. The privacy protections in place don’t work on their own; you have to fight to protect your rights.”

Based on reports, it appears this case was brought solely under state privacy laws, not HIPAA. It is not clear whether the Vermont Attorney General was involved, even though it seems that the victim alerted a variety of authorities.  

This case is yet another cautionary tale that should be considered by anyone in a position to access health records without a legitimate purpose, as well as by hospitals and other covered entities who should reevaluate the safeguards they have in place to track and prevent or at least discourage unauthorized access. 

Tags: , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on January 20, 2012 by William Maruca

When Will They Learn? Snooping Nurse Fired, Patients Notified

A nurse has been fired by a Texas hospital after accessing information on patients for whom she had no clinical responsibility, according to the Mt. Pleasant, TX Daily Tribune. The hospital, Titus Regional Medical Center, reportedly discovered the unauthorized access in the course of an audit in November. The nurse admitted to looking at the records out of curiosity but insisted that no records had been further disclosed.

The hospital decided to notify 108 patients in a letter which warned them of a slight risk of identity theft. The hospital administrator indicated that the notices may not be required under HIPAA but were being sent out of an abundance of caution, and emphasized that there was no evidence any data was printed nor disclosed to any third parties. Although most records accessed did not contain social security numbers, affected patients were nevertheless advised to contact the three major credit bureaus, Equifax, Experian and TransUnion.

 

This incident is reminiscent of the 2011 UCLA breach which resulted in a prison term for the snooping employee and similar incidents involving other California hospitals. A common element in these breach incidents is that the health information was not sold, distributed or otherwise further disclosed by the snooping employees. However, after an investigation, federal health regulators determined that UCLA employees reviewed patients' electronic medical records "repeatedly and without a permissible reason."   Ultimately, UCLA entered into a settlement agreement with federal health regulators, which among other things, socked UCLA with a fine of $865,000. 

 

These cases illustrate the seriousness of HIPAA’s still poorly-defined “minimum necessary” standard which, at the least, requires workers at covered entities and business associates to have a valid reason beyond mere curiosity before they access PHI. The ease with which employees can call up any record in a health system’s database can present an overpowering temptation, and it is incumbent on employers to educate their workforce about the need to resist the urge to snoop.

Tags: , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link