Cincinnati Medical Center HIPAAUSHHS Launched Investigation in Cincinnati

The University Of Cincinnati Medical Center is now under investigation by the U.S. Department of Health and Human Services, after an alleged leak and manipulation of a patient’s personal information. The patient, diagnosed with a sexually transmitted disease, had detailed billing records that was posted deliberately on the social networking site, Facebook. Probe discovers that a financial services employee of the hospital shared that information with the father of the patient’s then unborn child, who then publicly shared it putting the patient in the center of ridicule and malice.

Rachel Seeger, HHS spokesperson, said that the incident should have been reported to the HHS Office for Civil Rights before the 1st of March. The University of Cincinnati Medical Center spokesperson, Diana Maria Lara, clarified that they did report it before March 1, with paperwork and documentation to back that claim. “We have confirmation we notified the Secretary of HHS via their website portal on October 3rd, 2013 at 12:57 PM,” says Lara.

However, the investigation only began last week, shortly after the hospital learned of the incident, and the prospect of an imminent lawsuit. The employee in question was immediately fired from the hospital.

As per the federal investigation, Lara remains that the hospital was not notified. Seeger’s only reply was, “Cannot comment on open investigations. I regret that I cannot offer further details.” She also kept the specifics of the investigation in the dark.

The most that can be said of the incident was that it is an issue of security, with HIPAA-protected data being used to publicly scorn and harass a patient. Although the act itself was not accomplished by the employee, the mere sharing of information, even to a person related to the patient, makes him equally as guilty.

There is no major breakthrough in the investigation at the moment. Whenever the HIPAA rules are questioned or broken, especially when heard of in the news or in a lawsuit, Health and Human Services would have to launch an inquiry to determine if a fine was merited, either for the incident itself, or for the failure of to report, or possibly both.

This incident raises red flags about the hospital’s security, policies and procedures, and general management. This questions who should handle patients’ records? Should a financial employee have been able to access intimate medical information from records not having to do with his business?

From an IT perspective, this opens up a discussion on what access restrictions are realistic and reasonable. How much should a hospital restrict access? And how much restriction is necessary until it gets in the way of cleaning up billing problems?

Have questions about your own readiness for a HIPAA security probe?  Not sure if you are ready or not?  We can help.  Our team of HIPAA IT and HIPAA security experts can help ensure your clinic or medical facility is ready for a HIPAA audit.  Call (973) 638-2722 or email us at contactus@outsourcemyit.com.