Based on the Post and Courier report, 13 Medical University of South Carolina (MUSC) employees were terminated last year because of snooping on patient records, which is a violation of HIPAA Rules. MUSC had a total of 58 privacy violations reported to the Department of Health and Human Services’ Office for Civil Rights in 2017, all of which affected only a small number of patients. 11 out of the 58 breaches were cases of snooping on health records, while the others were unauthorized disclosures. Unauthorized disclosure may happen for instance when PHI is sent or faxed to the wrong person.
MUSC had 307 breaches in the past five years and had 30 non-physician staff terminated. The breaches were not listed on the OCR breach portal since they impacted less than 500 people. The HIPAA Rules require covered entities to report all PHI breaches. However, only breaches with 500 or more impacted people are publicized and posted on the breach portal.
In a recent board of trustees’ meeting, MUSC told about the actions it took against the employees that violated the HIPAA Rules. A board member questioned the harsh decision to terminate employees for minor breaches. But MUSC stood by its decision as it was deemed necessary. To impute heavy fines is just right when HIPAA rules were not followed. It indicates the seriousness of MUSC when it comes to privacy and security issues. Employees that violate HIPAA Rules are not to be tolerated.
OCR may have been pursuing the breaches that impact large numbers of people, but it is still investigating the smaller breaches. Some small breaches have actually been penalized for HIPAA violations. An example is the $3.5 million settlement in early February by Fresenius Medical Care North America (FMCNA). FMCNA had 5 small data breaches in 2012. Another is the $50,000 settlement of Hospice of North Idaho for a breach impacting 441 patients.
We do not see small breaches on the headlines. But they are still serious matters. MUSC emphasizes the importance of privacy during employee training sessions and clarifies the hospital policy of terminating employees who violate HIPAA Rules.
MUSC isn’t the only entity that has a poor privacy breaches record. Other healthcare organizations may have the same stats. However, MUSC is recommended for its transparency and decisive action against violators of patient privacy especially those with malicious intent.