Ten hospitals and health systems reported instances of EHR snooping by their employees this year, resulting in terminations and other disciplinary actions.
HHS' HIPAA privacy and security rules require healthcare organizations to impart sanctions against staff members who violate privacy and security policies such as EHR snooping. However, the office leaves the responsibility of implementing appropriate punishment such as termination or other disciplinary action up to the healthcare organizations.
Here are 10 hospitals and health systems that reported patient record breaches by employees wrongfully viewing medical records in 2021, as reported by Becker's Hospital Review.
1. Montefiore Health System notified some patients in January that their protected health information had been illegally accessed by a former employee. The New York City-based health system terminated the employee and referred the case to law enforcement.
2. In April, Montefiore fired a second employee for EHR snooping after having discovered the individual inappropriately accessed patients' medical records for more than a year.
3. Bethesda Hospital, part of Coral Gables, Fla.-based Baptist Health, in February said it terminated an employee for "impermissibly" accessing patients' medical records and altering a home care patient's health order.
4. In March, Petersburg (Alaska) Medical Center notified patients that a hospital employee had wrongfully viewed records of patients who were not directly under their care. The hospital said it implemented measures to prevent similar instances, including terminating the offending employee and inking plans to deploy a new EHR system that has more safeguards.
5. Gainesville-based University of Florida Health Shands notified 1,562 patients in May that a former employee wrongfully accessed their protected health information over a two-year period.
6. Ahmad Maher Abdel-Munim Alsughayer, a former physician at Rochester, Minn.-based Mayo Clinic, was charged in Olmsted County (Minn.) District Court with gross misdemeanor unauthorized computer access in June after allegedly inappropriately accessing patients' PHI during his employment.
7. Canton, Ohio-based Aultman Health Foundation began notifying around 7,300 patients in June that their PHI had been inappropriately accessed by a former health system employee between September 2009 and April 2021. The former employee was terminated.
8. Long Island Jewish Forest Hills Hospital, part of New Hyde Park, N.Y.-based Northwell Health, in August began notifying more than 10,000 patients that their PHI was inappropriately accessed by a former employee.
9. Lincoln, Neb.-based Bryan Health began notifying more than 2,700 patients in November of a data breach after a former employee snooped through their medical records.
10. In November, Huntington (N.Y.) Hospital, part of Northwell Health, began notifying about 13,000 patients that their PHI was improperly accessed by a former employee. The hospital worked with law enforcement to investigate the incident, and the former employee has been charged with a criminal HIPAA violation.