Tuesday, July 20, 2010

Jail Time Due to HIPAA Patient Privacy Violation


A former UCLA Healthcare System employee was fined and sentenced to four months in federal prison plus one year of supervised release.

His crime? He had been terminated from his job (but retained his access to the medical systems) and accessed the records of Drew Barrymore, Tom Hanks, Arnold Schwarzenegger, Barbara Walters, and others.(a) 
“In his plea agreement, Zhou admitted that he obtained and read private patient health and medical information on four specific occasions after he was formally terminated from the UCLA Healthcare System.” (b) 

The Challenge of Meaningful Use and the Security Rule
The HIPAA security rule requires that healthcare organizations “Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.” (c) But the problem of employees retaining access after termination has been shown to be especially difficult to prevent using conventional methods that depend on managers informing IT or HR systems informing IT.

Conventional Methods are Not Sustainable Controls
There have been reports of firing managers not informing HR or IT for weeks after a termination because they are too busy to complete the paperwork. In at least one firm the HR systems did not inform IT for several months after the terminated because the terminated employee’s severance agreement involved payments for several months after terminate, and therefore he was classified as an employee for HR regulatory purposes so no notification was sent to IT.
Learn how the Veriphyr Identity and Access Intelligence service supports meaningful use by identifing terminated users, as well as, detecting inappropriate access to patient medical records
Identity and Access Intelligence (IAI) Discovers Terminated Users
Fortunately, there are more sustainable controls for identifying terminated employees and notifying IT to terminate access. Identity and access intelligence eliminates the dependency on people and automatically identifies terminated employees based on their on-line activity. Several firms claim to provide identity and access intelligence, but only Veriphyr offers an on-demand Identity and Access Intelligence service that can be up and running in 24 hours and requires zero zero capital expenditures (CAPEX).
HIPAA’s criminal privacy provisions protect not only celebrities, but all of us from curious neighbors, disgruntled co-workers, and other snoopers.” - Acting United States Attorney George S. Cardona(d)
Sources:
(a) KTLA.com
(b) United States Attorney's Office
(c) “Security Standards for the Protection of Electronic Protected Health Information,” - 45 CFR Part 164.308(a)(3)(ii)(C)
(d) Department of Justice

No comments:

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.