Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Another HIPAA Felony Conviction; 8 To Date | Main | Shred Those Documents Finely! »

HIPAA Company-Applied Sanction: Hospital Employee Fired For Snooping Through 431 Patient Files

I thought it would be a good follow-up to my post from Saturday to point out a recent instance for how HIPAA covered entities (CEs) are applying their own organizational sanctions against personnel who violate their information security and privacy policies that are also violations of the HIPAA requirements...

It appears that the Catskill Regional Medical Center in Harris, New York takes the HIPAA requirements seriously and obviously has put some controls in place to catch employees who are looking through patient files when they have no job need to do so.

"CRMC employee fired for unauthorized access to patient files"

The employee was fired for looking through 431 files of patients who she knew or worked with.

Some good security practices were likely in place to be able to catch this employee:

  • The employee was caught as a result of an audit. This means that there were access logs of some type(s) in place to document whenever someone accessed patient files. Does your organization log whenever someone accesses the personally identifiable information (PII) within your enterprise?
  • The snooped-upon patients were notified. This is not only a good breach response practice, it is also required by at least 46 U.S. breach notice laws.
  • The hospital actively enforced the sanctions for non-compliance with their own internal policies as well as with federal laws. Does your organization consistently enforce sanctions for policy and law non-compliance?
  • The hospital likely had ongoing awareness communications and regular training in place to be able to fire the employee. Do you have effective training, such as this and this, and ongoing awareness communications, such as this, in place?

This is also a good example of the insider threat. In this case, according to the report, it sounds like the motivation for the person to snoop was merely curiosity...she had access so she took advantage of that access even though she had no business need to look at the records.

Wonder how many of the physical, hard copy records she snooped through, too? It's harder to log access to papers as opposed to digital files.

Tags:                              
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on February 9, 2009 9:36 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/925

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for the past two decades. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the world's best privacy experts and on their list of the best privacy consulting firms in both 2007 and 2008. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 13th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.