In addition to having their employment contract terminated, healthcare employees who have been identified as improperly accessing the medical records of patients are also likely to face a criminal investigation into their conduct because of breaching HIPAA rules. This is regardless of the reason why they accessed the medical data in the first place.
A criminal investigation is likely if medical records have been accessed with malicious intent and with the intent of using it for personal gain. However, even accessing medical records out of curiosity can result in police investigation and a possible prosecution.
Earlier this week, St. Charles Health System announced that a caregiver at their facility had improperly accessed the medical records of around 2,500 patients over a period of 27 months. An internal investigation into the incident was conducted, and the employee disciplined as per company policy.
St. Charles Health System announced that they were satisfied that medical records were accessed out of curiosity. The employee in question was required to sign an affidavit in which she confirmed that she had not used any of the information she viewed to commit fraud. She claims she looked at the medical records out of medical interest, and had never intended to pass the information to a third party.
All patients impacted by the privacy breach were notified by mail, in accordance with the HIPAA Breach Notification Rule. Furthermore, the breach was reported to the Department of Health and Human Services’ Office for Civil Rights. In accordance with state rules, the Oregon Attorney General’s office was also notified about the breach. The incident was not reported to law enforcement as the privacy breach was not determined to be a criminal act.
However, Deschutes County District Attorney John Hummel believes law enforcement should have been notified of “an alleged breach of that magnitude,” to allow a criminal investigation to be conducted. DA Hummel has now launched a criminal investigation into the case and will work with the police department to determine whether any criminal laws were violated by the employee. Should the investigation find that criminal laws were broken, the employee will find criminal charges made against them.
While the healthcare provider was satisfied that records were not accessed with any criminal intent, Hummel explained that it is not up to the healthcare provider to make such a determination. Hummel explained to NewsChannel21 that “That job is left to police officers, district attorneys, grand juries, judges and juries in the courtroom,” Hummel went on to explain, “Just like I don’t diagnose a patient’s health condition, a medical professional shouldn’t try to determine whether a crime was committed.”
One patient has reported receiving a call from an individual claiming to be from St. Charles Health and was offered help protecting her health information. The call was not made by St. Charles Health, although there is no indication that the call was related to this incident. Similar calls have been made to patients of other healthcare organisations in the area.
This incident should serve as a warning to all healthcare employees. Any improper accessing of medical records is not only likely to result in internal disciplining and potential loss of employment. Criminal investigations are also likely to be launched. If these prosecutions are successful, then jail time may be a very real possibility.