Texas Hospital District Fires 16 For HIPAA Violations
The Harris County Hospital District of Houston, Texas, fired 16 employees, accusing them of violating patient privacy laws by inappropriately accessing the records of a medical resident who'd been admitted to the hospital after she was shot in a grocery store parking lot.
The Harris County Hospital District of Houston, Texas, fired 16 employees, accusing them of violating patient privacy laws by inappropriately accessing the records of a medical resident who'd been admitted to the hospital after she was shot in a grocery store parking lot.A spokeswoman for the hospital district confirmed in an e-mail exchange with InformationWeekthat 16 employees were fired November 20 for violating Health Insurance Portability and Accountability Act (HIPAA), but declined to provide specifics.
A county employee who asked not to be identified told the Houston Chronicle that two high-ranking administrators told him the fired employees had looked at the medical records of Dr. Stephanie Wuest, a first-year Baylor College of Medicine resident assigned to Ben Taub General Hospital.
Wuest became a patient at Ben Taub on Oct. 29, after she was shot in a grocery store parking lot. She is expected to make a full recovery, her mother said [Nov. 25].
Most of the fired employees worked at Ben Taub. They include managers, nurses, clerks and other employees.
HIPAA requires healthcare providers to sanction employees for violations, but leaves the level of sanction to the healthcare provider's discretion.
"It could be that the district wants to draw a hard line against any violations of the law in order to discourage the federal Office of Civil Rights from imposing large civil or criminal financial penalties," said Stacey Tovino, a professor of health law at Drake University who writes frequently on HIPAA.
She noted that many institutions fire employees for that reason.
Still, Tovino said the level of sanction could be considered harsh given HIPAA's standards requiring institutions to report violations to the federal government. She said the law defines such breaches as those posing "a significant risk of financial, reputational or other harm to the individual."
Tovino questioned whether employees accessing a colleague's record out of concern about her prognosis would meet that threshold.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.