On March 6, 2019, the U.S. Department of Justice (DOJ) announced that Linda Sue Kalina pled guilty to wrongfully disclosing the protected health information (PHI) of another individual in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Kalina was a patient information coordinator with the University of Pittsburgh Medical Center (UPMC) and its affiliate, Tri Rivers Musculoskeletal Centers (TRMC). From March 7, 2016, through June 23, 2017, Kalina improperly accessed the health information of 111 UPMC patients who had never been provided services at TRMC. In her capacity as a patient information coordinator, Kalina was authorized to access patient information contained in UPMC’s electronic medical record system as necessary to provide services to patients. Among others, Kalina accessed and disclosed the health information involving two individuals who worked at Kalina’s former employer.
The HIPAA Privacy and Security Rules require covered entities to have reasonable safeguards to protect PHI and to monitor its electronic systems for any intentional or unintentional unauthorized use or disclosure of PHI. Many healthcare systems have interoperable electronic medical record systems and provide affiliates access to its systems. Health care providers and clinical staff are generally granted full access privileges to a patient’s medical record for treatment purposes, but are required to access, use, or disclose only the minimum amount of PHI necessary to accomplish the purpose. Technology is available to monitor and log access to electronic systems containing PHI; however, it remains difficult to determine whether clinical staff’s access to specific medical records is appropriate without having to conduct a focused investigation of the specific record.
Covered entities are required to provide HIPAA privacy and security training and education so that workforce members understand their obligations, roles, and responsibilities to protect the confidentiality of PHI. Covered entities may want to consider including Kalina’s or similar cases in its workforce training to highlight the serious consequences for those who access a patient’s medical record without authorization. A covered entity is required to sanction a workforce member for noncompliance with HIPAA, which may result in suspension or termination of the workforce member’s employment, reporting the workforce member to state or professional licensing or accreditation bodies for a lapse in professional competence, or the loss or suspension of a professional license or certification. The covered entity is required to notify the affected individual of any breach of PHI, and the individual may file an invasion of privacy civil claim or lawsuit against the covered entity and the workforce member involved in the incident. Finally, the DOJ or state agencies may bring a criminal action against the workforce member which can result in a prison sentence and payment of a fine. These efforts may not deter a person with malice or intent to harm another; however, it will help deter many workforce members from accessing, using, or disclosing PHI for an unauthorized purpose.