Minnesota Health System Employee Improperly Accessed Patient Information

In October 2013, Alina Health in Minnesota notified almost 4,000 patients (3,807) of a privacy breach by a medical assistant employee who improperly accessed protected health information (PHI) and other personal information.   Upon discovery of this unauthorized access, Alina Health conducted an investigation in September 2013, which confirmed that the employee had improperly accessed patient information as early as February 2010.  The employee was terminated as a result of this incident.     

The patients were notified by mail, and notice was also available on the Alina Health website. 

As we have discussed in prior publications, part of a robust HIPAA privacy and security policy is to implement several compliance features, including monitoring, audit, workforce training, and sanctions and termination.  

The Alina Health matter is a good reminder to all HIPAA covered entities to review their policies and ensure that compliance with the policies and procedures is being followed.  Some questions come to mind based on this incident, such as the following:

·         Do you know which positions have access to PHI? For example, have you created a minimum necessary database, listing which positions have access to PHI, and how much information (e.g., just the billing information)?

·         Are employees accessing PHI for reasons other than on a “need to know” basis? 

·         Has the Privacy/Security Officer monitored the implementation of the policy to ensure compliance? 

·         What is your sanctions policy for an unauthorized access of PHI? 

·         Does your policy include a method to ensure the security of PHI such that when a person is terminated he or she no longer has electronic access to any information?   

These are just some of the questions that are raised from this incident.  If you have any questions regarding the privacy incident at Alina Health or implementing HIPAA privacy and security policies, please contact attorneys Susan Ziel, sziel@kdlegal.com or Jaya White jwhite@kdlegal.com.