Washington Health System Employees Suspended for Unauthorized PHI Access

Washington Health System has suspended a number of its employees after discovering they inappropriately accessed medical records. The investigation into the breach is currently ongoing and termination is a possibility for the employees concerned.

Although the number of employees involved has not been confirmed, the VP of Strategy and Clinical Services, Larry Pantuso, released a statementto the Observer Reporter saying around a dozen employees had been suspended. At this point, no employee has been terminated for unauthorized medical record access.

The privacy breaches are considered to be related to the death of a WHS Neighbor Health Center employee, Kimberly Dollard. She died when an car driven by Chad Spence, 43, hit the building where Kimberly worked. Spence and another person were brought to the hospital for treatment for their injuries sustained in the accident.

Pantuso did not confirm that the unauthorized access involved these two individuals’ records, but he did state that the alleged PHI breach was associated with a “high profile case.”

Accessing medical information with no legitimate work reason for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA). Employees are permitted to access PHI for treatment, healthcare operations or billing purposes only. If a healthcare employee is found to have broken the HIPAA Rules, he or she will be subjected to disciplinary action in the form of suspension, termination of employment, revocation of a professional license and, possibly, criminal charges may be filed.

There have been some recent cases of employees being fired for snooping on the health records of famous patients. One case in February 2018 involved 13 employees from the Medical University of South Carolina. They were dismissed for HIPAA violations after they were discovered to have viewed the health records of patients, including high profile patients, with no authorization.

One of the latest cases involved a healthcare employee named Martha Smith-Lightfoot. She was given a list of patients from the University of Rochester Medical Center (URMC) before leaving her job to ensure continuity of care. She took that list to Greater Rochester Neurology – her new employer. The patients on the list were contacted in an attempt to solicit business. Because of the HIPAA violation, the New York nursing board’s Office for Professional Discipline took action against Smith-Lightfoot.

Smith-Lightfoot signed a consent order with the nursing board to acknowledge her violation. The board suspended her license to practice for one year. She also got a stayed suspension for one more year, and will be on probation for three years when she returns to practice.

Snooping on patient health records will likely be discovered because logs are recorded each time health records are accessed. Those logs are regularly monitored and if PHI access without authorization is discovered, employees will likely be terminated. Termination for a HIPAA violation will seriously affect future opportunities for work in the healthcare industry.