By: HIPAA Journal on Feb 21, 2020
A former employee of ACM Global Laboratories, part of Rochester Regional Health, has been accused of accessing the medical records of a patient, without authorization, on hundreds of occasions in an attempt to find information that could be used in a child custody battle.
A criminal investigation was launched into the alleged HIPAA violations by Jessica Meier, 41, of Hamlin, NY, when it was suspected that she had been abusing her access rights to patient information for malicious purposes.
Kristina Ciaccia was previously in a relationship with Meier’s half brother and has been in a lengthy child custody battle. In court, Ciaccia heard about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself was unaware of the visit. Suspecting snooping on her family’s medical records, Ciaccia reported the matter to Rochester Regional Health.
According to court documents, the Rochester Regional Health audit revealed Meier had accessed the private medical records of Ciaccia on more than 200 occasions between March 2017 and August 2019, without any legitimate work purpose for doing so. It was also confirmed that Meier had accessed the medical records of members of Ciaccia’s family.
Ciaccia reported the criminal HIPAA violations to the police and an investigation was launched. Meier was arraigned in Gates Town Court on Tuesday, February 11, 2019 on 215 felony counts of computer trespass and 215 counts of misdemeanor unauthorized use of a computer. Meier pleaded not guilty to all counts and the case is expected to go before a grand jury.
“If you go in somebody’s medical records, you deserve to be charged. You deserve to be held accountable,” Ciaccia told News 10 NBC. Ciaccia also believes Rochester Regional Health should be held accountable, not for the breach itself, but for the failure to identify an ongoing privacy violation that spanned more than two years.
The unauthorized medical record access was only discovered after Ciaccia reported the potential privacy violation to Rochester Regional Health. “I feel like Rochester Regional pay her all year to go in my medical records, said Ciaccia.” Upon discovery of unauthorized access, Rochester Regional Health took disciplinary action against Meier.
HIPAA requires healthcare organizations to implement safeguards to ensure the confidentiality, integrity, and availability of patient information. Even if access controls and other measures are implemented, it is not possible to prevent all cases of improper accessing of medical records by employees. However, when instances occur, they should be identified quickly.
HIPAA requires audit logs to be maintained to track access to protected health information. Those logs allow audits to take place, as was the case when the matter was brought to the attention of Rochester Regional Health by Ciaccia.
HIPAA also requires audit logs to be regularly checked to identify unauthorized accessing of PHI. Had the audit logs been monitored more closely, the privacy violation could have been identified and sanctions could have been applied against Meier sooner.