Claxton-Hepburn Medical Center is a not-for-profit community hospital located in Ogdensburg, NY. A number of its employees were terminated from work for accessing patient medical records even if they were not authorized to do so. The hospital became aware of the PHI breaches while doing an internal investigation. The report did not clearly say if there was a complaint received that prompted the investigation or if the breaches were discovered while auditing PHI access logs.
It has not been publicly disclosed by Claxton-Hepburn Medical Center how many of its employees were fired because of the patient privacy violations. The report only mentioned that all employees involved in the committed violations were terminated. It is likewise not clear at this time how many patients were affected by the PHI breach.
Claxton-Hepburn Medical Center stated that all employees had been provided training at the beginning of their employment and they knew about the details of the HIPAA requirements particularly the great importance of safeguarding the patient privacy. All employees were clearly told that access to patient medical records is only allowed to employees authorized to view PHI in order to complete their work duties and to those who are tasked with updating patient records. This is what the HIPAA Privacy Rule requires. Employees also knew that if they accessed PHI without authorization, they may be subject to disciplinary action. Hence, all the terminated employees should have known without a doubt that their actions violated HIPAA Rules.
Because of the privacy breaches, the hospital implemented additional safeguards to prevent future HIPAA violations like in these breaches. Claxton-Hepburn Medical Center already sent mail notifications to the patients whose information were compromised.
Claxton-Hepburn Medical Center could have filed criminal charges against the healthcare employees for violating HIPAA Privacy Rules, but the administrators did not involve the police any more.