Claxton-Hepburn Medical Center, which is a not-for-profit community hospital based in Ogdensburg, New York, terminated several employees because they accessed patient medical records even though they do not have authorization to do so. The hospital found out about the PHI breaches when conducting an internal investigation. The report didn’t say with certainty if a complaint was received which necessitated the investigation or whether the breaches were found out while conducting PHI access logs audits.
The complete details of the incident including the number of employees fired due to patient privacy violation haven’t been publicly announced. Claxton-Hepburn Medical Center’s report just stated that all employees that committed violations were fired. It is furthermore not clear for now the exact number of patients affected by the data breach.
Claxton-Hepburn Medical Center mentioned that they provided all employees with appropriate training at the start of their job and they were aware of the points of the HIPAA requirements specifically the importance of protecting patient privacy. All employees were informed that accessing patient data is just permitted to employees wit authorization to view PHI for completing their work and to those who are assigned to update patient files. This is what the HIPAA Privacy Rule demands. Employees additionally knew that accessing PHI without proper authorization subjects the violator to disciplinary action. Therefore, all the dismissed employees ought to have known undeniably that their actions constitute HIPAA Rules violation.
Due to the privacy breaches, the hospital applied further safety measures to avoid potential HIPAA violations such as in these breaches. Claxton-Hepburn Medical Center had sent notices by mail to all the affected patients. The healthcare employees could have been charged with criminal offense by Claxton-Hepburn Medical Center for violating HIPAA Privacy Rules, however, the administrators did not want the police to get involved any more.