Jeanne Sager | Democrat
HOSPITAL CEO STEVE Ruwoldt said there was no "malicious intent" in an employee's privacy violations.
HIPPA violations found at CRMC
By Jeanne Sager
HARRIS A nosy employee at Catskill Regional Medical Center is being blamed for a breach of the Health Insurance Portability and Accountability (HIPPA) Act of 1996 that put 431 personal medical files at risk.
The November termination of the CRMC employee was made public by the hospital this week as it closed the book on its investigation with letters sent to the patients whose confidentially was breached.
“She was nosy,” said hospital CEO Steven Ruwoldt.
The employee, a female who Ruwoldt declined to identify, has worked in various capacities in the hospital for a number of years.
Her last post was in medical records, which gave her access to the files although not the authority to access those which she apparently viewed on a regular basis.
“It appears the access of these records were acquaintances of hers and people that she works with,” Ruwoldt explained. “These accesses were noted through routine internal audit of our system.”
Caught in November, the issues were brought to the employee who was interviewed by hospital administration. When she could not come up with a “cogent” reason for viewing the files, Ruwoldt said she was terminated.
The ensuing investigation covered three years of electronic medical records and was slow going as work had to be done manually to determine whether the employee’s access of each file was appropriate or violated both the federal HIPPA Act and the hospital’s confidentiality processes.
Ruwoldt said employees are forbidden from taking phone calls from family and friends who ask them to check into one of their files, and they’re even disciplined for checking into their own files.
When a request is made, a procedure is in place to contact the appropriate person on staff to open the files. Yearly education on the policy is mandated for all employees.
Audits of the electronic system then follow-up, allowing an auditor to determine what files have been accessed and by who, even how long the file was open.
“At times we can’t help what people will do, and it’s not something we sanction, but certainly we’ve got the safeguards in place that have caught this,” Ruwoldt said. “We have a zero tolerance policy for breaches of these actions.
“We believe this was purely something of curiosity and it did not represent anything of malicious intent,” he said.
There’s no evidence that the information was used maliciously, and police though notified have not charged the former employee with a crime.
“On the positive note on this, we have security systems here that in fact have worked,” he noted. “We are deeply sorry for any inconvenience this may have caused or concerns it causes any of the people that are involved, but we do want to emphasize our security system in fact did work.”
The hospital has upped the number of times per year the audits will be performed to better catch potential HIPPA violations. Ruwoldt said patients should still feel safe at CRMC.
“It’s simply the temptation some people have those accesses and don’t even think about it,” Ruwoldt said. “I equate it to a person with a driver’s license. They have the authority to drive on the street; can we guarantee that they’re not going to speed?
“No, all we can do is police it to catch people if they do violate the laws,” he continued. “We do not condone these actions whatsoever, and we take them very seriously.
“We take every step that we can that their records are safe.”
Letters were mailed this week to all 431 patients whose files were affected.