Medical University of South Carolina (MUSC) demonstrated how seriously it takes protected health information (PHI) violation as it has terminated 13 of its employees last year who have snooped on patient records which is against HIPAA rules. The medical institution has recorded a total of 58 privacy violations in 2017, 11 of which fell under the violation committed by the terminated employees. The remaining 47 breaches involved unauthorized disclosures like accidentally sending or faxing medical records to the wrong individual.
A total of 30 members of non-physician staff have been terminated from MUSC for the past five years where 307 breach incidents were discovered. All of these violations have been properly reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in compliance to HIPAA Rules that require all PHI breaches be reported. However, it should be noted that not one of the 307 breaches in MUSC can be found on the OCR breach portal as it only lists those that have affected 500 or more individuals.
During the meeting of the hospital’s board of trustees where the announcement of the termination was made, a board member was said to inquire whether the penalty meted to the terminated employees was severe given that what they had committed were only minor infractions. It was explained that the action taken was deemed valid and necessary as federal audits over data breaches concerning employees imposed hefty fines for HIPAA Rules violation.
While it may seem that the OCR gives more attention to large scale PHI breaches, records show that the office is likewise keen on implementing the same action on smaller offenses. Several instances of minor breaches in the past have resulted in the settling of financial penalties by HIPAA covered entities and their business associates. For instance, just February of this year Fresenius Medical Care North America paid OCR $3.5 million in penalties for the five small data breaches all done within six months in 2012. A breach that affected 441 patients of Hospice of North Idaho caused the institution to shell out $50,000 in 2013 as settlement with OCR. Further evidence of its commitment was the office’s announcement in 2016 that it would be increasing investigations of small PHI breaches.
MUSC takes patient privacy and security seriously and works to make its employees realize the importance of this as well as the far-reaching effects of such violations. Employees are made aware that the hospital has a strict and clear termination policy when it comes to HIPAA violations.