Let's say that Mary, who works as one of your scrub techs, discovers
that her ex-husband, John, who has not paid child support in more
than 8 months, has undergone elective surgery at your facility. Mary
has no job-related reason to access his electronic health record, but
she does so on 11 different occasions, at times for more than an hour.
She prints his demographic, credit card, health insurance, billing and
claims information, his Social Security number and certain portions of
the clinical record documenting his procedure. She uses this informa-
tion to file a legal action against him to obtain the unpaid child sup-
port and to increase her alimony. She also blasts him on social media
for spending exorbitant amounts of money on his vanity, naming the
procedure and its costs, instead of child support.
John files a complaint against your facility with the Office for Civil
Rights. He also files a criminal complaint and a civil libel suit against
Mary. When you confirm Mary's unauthorized access to the EMR sys-
tem and her breach of patient information, you fire her, of course, but
in HIPAA's view your job's just beginning. Now you have to conduct
an expensive and time-consuming investigation, take action to miti-
gate any further harm to John and make any required notifications.
The loss of an employee and professional reputation will no doubt
cost you, plus you may face federal fines.
Nothing stays anonymous online
While you need to be careful not to interfere with your employees'
First Amendment rights to free speech, you also need to warn them of
the potential for HIPAA breaches in their social media communica-
S E P T E M B E R 2 0 1 6 • O U T PA T I E N TS U R G E R Y. N E T • 3 5
We're seeing more cases of staff peeking into the
records of friends, co-workers — and even celebrities.