Petersburg Medical Center has come out with more information about a medical records breach. They say about 200 patients were affected. The community hospital announced Monday that one of its employees had viewed records for patients not under their care. KFSK’s Angela Denning reports from Petersburg:
Petersburg Medical Center’s CEO, Phil Hofstetter, talked about the incident on a KFSK radio show Thursday.
“On behalf of PMC, I apologize,” he said.
The medical center sent out letters to all patients whose medical records may have been viewed by this employee.
So, how did they find out about it in the first place? Hofstetter says another employee reported it, which is encouraged through the HIPAA training everyone gets at PMC. HIPAA is a federal law, which stands for Health Insurance Portability and Accountability Act.
“Both HIPAA and PMC have a rule that if an employee suspects another employee has violated HIPAA, including improperly accessing a confidential medical record, that employee has a duty to report the potential violation to PMC’s compliance office,” Hofstetter said.
An internal investigation was launched and the employee in question was kept away from records during that time. PMC also filed the incident with the Office for Civil Rights, which they are required to do.
The letters sent out to patients detailed the dates the medical records were viewed. Some of those dates went back two and three years. So, how could someone view records that long ago but PMC not know about it until the end of February?
Hofstetter says they didn’t know about some of them until they started digging through the computer system. They looked back through the years that the employee could have had access to records. Everything viewed is stamped in time. Hofstetter says the information was viewed but there is no evidence that it was stored, copied, or shared.
“All of the facts point to the information being viewed briefly,” he said.
Under HIPAA this type of violation is called, “curiosity look ups”. PMC trains all employees that it’s not permitted.
Hofstetter says they have no reason to believe the breach went beyond their hospital. He says identity theft is very unlikely; both billings and financial records are kept separate from the medical records.
“The investigation found nothing to indicate that patient billing or financial records were viewed,” said Hofstetter.
Once it was proved that the employee had inappropriately viewed medical records, the employee was terminated and is no longer working at PMC.
Hofstetter says HIPAA only requires a press release if there are 500 or more people affected by a breach but they announced it anyway for transparency.
He says they cannot release the name of the employee who was part of the breach because of confidentiality laws PMC is under.
The medical center has purchased a new electronic health records system, which Hofstetter says will have more safeguards in place, including a compliance module that could help indicate improper viewing of records. They expect to begin the process of transferring to a new system by the end of March and have it up and running by the end of November.