On June 25, 2021, the Aultman Health Foundation (Aultman), an Ohio-based health system with more than 7,000 employees, announced that the patient records of more than 7,000 patients may have been accessed by an employee without authorization for whom such access was outside their job duties. While the employee did not provide direct care, they had access to electronic health records because part of their job was to coordinate patient care. According to Aultman, the employee may have impermissibly accessed patients’ names, addresses, birthdates, Social Security numbers, insurance information, and diagnosis and treatment information.
The Aultman employee accessed patient records without authorization between September 14, 2009, and April 26, 2021. Such access without authorization is considered “snooping.”
Snooping usually occurs when an employee views patient records of their friends, family, work colleagues, or a celebrity without authorization because the employee is curious about why such person is there and what treatment they are receiving. However, due to the COVID-19 pandemic, staff may also be further tempted to view more patient records without authorization to identify patients’ coronavirus status.
Snooping is considered a breach under HIPAA. HIPAA provides three exceptions to the definition of “breach.” One exception applies when an employee of a covered entity accesses or uses protected health information unintentionally, but in good faith and within the scope of authority. However, the Department of Health and Human Services Office for Civil Rights has provided that this exception does not apply to snooping employees because snooping is neither unintentional nor done in good faith.
The Aultman employee was terminated and Aultman is implementing new training for employees to mitigate any future snooping of patient records. However, given the extensive time period of the snooping by the Aultman employee, regulators may review whether Aultman had appropriate policies, procedures, and safeguards in place to address snooping. For example, regulators may analyze whether Aultman had police and procedures in place to monitor access to patient records and periodically audit access logs of its employees.
Aultman will be providing free credit monitoring and identity theft protection for patients whose Social Security numbers may have been compromised.