Will Hospitals Be At Risk for HIPAA Audits If They Don’t Have HIPAA Violations?

Sutter Health’s California Pacific Medical Center (CPMC) recently announced an employee accessing patient files without a business or treatment purpose. Here are the details from their press release:

California Pacific Medical Center (CPMC) recently notified 844 patients of its discovery that a pharmacist employee may have accessed their records without a business or treatment purpose.

CPMC first learned of the incident through a proactive audit of its electronic medical record system on October 10, 2014. The initial audit resulted in identification and notification of 14 individuals on October 21, 2014. Following its policy, CPMC terminated its relationship with the employee and broadened the investigation

The expanded investigation identified a total of 844 patients whose records the employee may have accessed without an apparent business or treatment purpose. It is unclear whether all of these records were accessed inappropriately but, out of an abundance of caution, CPMC notified all of these patients.

This was a fascinating breach of HIPAA. In fact, it starts with the question of whether we should call this a breach. In the HIPAA sense, it’s a breach of HIPAA. In the IT systems security sense, I could see how people wouldn’t consider it a breach since the person didn’t visit anything he wasn’t authorized by the IT system to see. Semantics aside, this is a HIPAA issue and is likely happening in pretty much every organization in the US.

My last statement is particularly true in larger organizations. The shear number of staff means that it’s very likely that some users of your IT systems are looking at patient records that don’t have a specific “business or treatment purpose.” I’m sure some will use this as a call for a return to paper. As if this stuff didn’t happen in the paper world as well. It happened in the paper world, but we just had no way to track it. With technology we can now track every record everyone touches. That’s why we’re seeing more issues like the one reported above. In the paper world we’d have just been ignorant to it.

With this in mind, I start to wonder if we won’t see some HIPAA audits for organizations that haven’t reported any violations like the ones above. Basically, the auditors would assume that if you hadn’t reported anything, then you’re probably not proactively auditing this yourself and so they’re going to come in and do it for you. Plus, if you’re not doing this, then you’re likely not doing a whole slew of other HIPAA requirements. On the other hand, if your security policies and procedures are good enough to proactively catch something like this, then you’re probably above average in other areas of HIPAA privacy and security. Sounds reasonable to me. We’ll see if it plays out that way.

The other lesson we need to take from the above HIPAA breach notification is that we shouldn’t be so quick to judge an organization that proactively discovers a breach. If we’re too punitive with healthcare organizations that find and effectively address a breach like this, then organizations will stop finding and reporting these issues. We should want healthcare organizations that have a culture and privacy and security. Part of that culture is that they’re going to sometimes catch bad actors which they need to correct.

Healthcare IT software like EHRs have a great ability to track everything that’s done and they’re only going to get better at doing it. That’s a good thing and healthcare information security and privacy will benefit from it. We should encourage rather than ridicule organizations like the one mentioned above for their proactive efforts to take care of the privacy of their patients’ information. I hope we see more organizations like Sutter Health who take a proactive approach to the security and privacy of healthcare information.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • John, as you note, this is indeed a HIPAA violation, and provider organizations need to be more vigilant about setting access limits, and automated audit and alert systems, in order to mitigate risk (though of course it’s impossible to eliminate risk entirely). In most situations there should be a way of building a rule that would identify access of records by a particular workforce member that is not likely to be tied to a permitted purpose. More than a handful of these and an alarm should go off somewhere — without 844 records being accessed inappropriately. Can we drive this number down to zero? Impossible. Can we drive it down to 12? Sure. Does it cost money? Of course. Is it cheaper than dealing with a breach of 844 records (or Anthem’s 80 million)? Yes. Lots.

  • Good point about reducing the number. No doubt, the number of violations is going to play a key role in determining any punishment. I think we will get better and move that number to 12 as you suggest. Although, if we are too punitive with proactive cases like this, then I don’t think we’ll get there.

  • Also, what is or is not authorized? If, for instance, the employee is trolling through patient records trying to find something to misuse, that is clearly NOT. But if new employee, for instance, is just practicing retrieving info to better prepare for real need, is that still wrong? Shouldn’t there be some sort of either criminal intent or ‘fooling around’ issue to consider it wrong?


  • R Troy,
    The system should take that into account. Although, someone practicing on the system should do it on a test system. Plus, you could make the case that it’s necessary for your work for you to access some records as part of training. That would be part of work responsibilities. Although, it could be avoided with a test system.

  • John,

    Wherever possible practice should be on a test system – if one exists. There should certainly be clear rules about use not specifically related to actual tasks and patient care duties. Intent, of course, is crucial, but good intent does not always work out as acceptable. But what is allowed should to some degree also be system rule driven; a given user should only physically have access to what he or she needs, all access and all changes should be logged.


Click here to post a comment