Two independent care providers inappropriately accessed the healthcare data of 683 patients of TJ Samson Community Hospital in Glasgow, KY and TJ Health Columbia Clinic. The unauthorized access to patient PHI was discovered on August 25, 2017 during a routine audit of system logs.
The information inappropriately accessed on January 1, 2017 included names, demographic information, medical notes, Social Security numbers and insurance details. Financial information was inaccessible because the independent health providers’ login credentials were restricted from accessing such information.
An independent healthcare provider may access the PHI of a patient in order to perform his work duties of treating the patient. If he is not treating a patient, he has no legitimate reason to access his patient data. In the case above, it is apparent that both independent care providers were going beyond the allowed boundaries of PHI access. It is a good thing that TJ Samson had the chance to interview both independent healthcare providers and found that all accessed patient information was not misused nor disclosed.
In response to the culprits’ action, TJ Samson simply blocked their access to the hospital’s data storage system and did no further action. To comply with the HIPAA Rules, TJ Samson posted on the hospital’s official website a notice of the breach. In addition, affected patients were sent a notification letter of the breach by mail. The hospital management also made the necessary steps to prevent the same incident of unauthorized access from happening again. The access procedure for independent health care providers was thoroughly reviewed, too.