Skip to main content

MN Health Clinic Fires 32 for HIPAA Violations

 |  By dnicastro@hcpro.com  
   May 11, 2011

A Minnesota hospital system fired this month 32 employees in two of its hospitals for inappropriately accessing medical records of patients – the highest reported termination tally at a hospital for such a violation in recent memory.

Allina Hospitals & Clinics terminated the employees in Unity Hospital in Fridley and Mercy Hospital in Coon Rapids who wanted a peek at the medical records of patients hospitalized in March due to a drug overdose at a party in nearby Blaine, a hospital official said.

David Kanihan, Allina's director of marketing and communications, told HealthLeaders Media in an e-mail the employees were terminated for "accessing electronic medical records of patients without a legitimate patient-care reason for doing so."

HIPAA allows hospital employees to view patient records for reasons of treatment, payment and healthcare operations.

According to the Minneapolis Star Tribune, 11 teenagers and young adults were hospitalized after they overdosed on a synthetic drug. One died.

"We take our obligation to protect patient privacy very seriously," Kanihan wrote in the e-mail to HealthLeaders. "Our actions in this matter are completely consistent with how we have always dealt with these cases. Anything short of a zero tolerance approach to this issue would be inadequate."

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says the most significant threats regarding patient information breaches come from internal sources.

"I am seeing not only with folks I network with, but firsthand, stepped up efforts for organizations to analyze access to medical records by its own staff to see if there are some privacy issues that need to be addressed," Ruelas says.

Big events, such as a VIP coming to a hospital or a well-known member of the community receiving care at a facility, may prompt unauthorized access, primarily out of curiosity or concern for the individual, Ruelas adds.

"However, as more organizations prompt their employees to make use of their own facilities to receive care, the opportunity for more snooping even out of a genuine concern from coworkers to see how someone they know is doing -- which is still unauthorized -- is a big issue that I believe people are finally realizing needs to be addressed," Ruelas says.

This isn't the first case of termination for patient-record snooping.

In January, the University Medical Center in Tucson fired three clinical support staff members and a contracted nurse for "inappropriately accessing confidential medical records."

The records were related to shootings at a Tucson supermarket that killed six and wounded 13 -- including U.S. Rep. Gabrielle Giffords (D-AZ).

Last September, Mayo Clinic fired an employee who worked in a business center in Arizona for accessing nearly 2,000 patient medical and financial records over a four-year period. The employee's access rights covered all Mayo Clinic patient records at all Mayo sites.

HIPAA compliance specialist Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC in Purchase, N.Y., says the number of terminations at Allina Hospitals & Clinics itself may not be as "significant as it may seem."

"This is a large health system," she adds. "They have developed their policies, training programs, auditing systems, and sanctions processes to meet the requirements and the spirit of the laws. It appears that they have had their program in place for some time and their processes should be no surprise to any of their workforce. … They appear to be diligent in their investigation process and consistent in how they treat inappropriate access."

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.