·  Legal News, Analysis, & Commentary

News & Politics

Medical Center Fires Employees for Snooping at Patient Records

— February 28, 2018

Medical Center Fires Employees for Snooping at Patient Records

Thirteen Medical University of South Carolina (MUSC) employees have been terminated for snooping in patient records.  Administrators at the state’s top academic medical center discovered more than a dozen of its staff members had broken federal law in using records without permission, spying on files or disclosing patients’ personal information.  Some of the privacy issues concern the records of high profile clientele.

MUSC staff include designated employees who monitor the news media for any potential privacy breaches.  Sometimes, they said, health care providers will “snoop” at patient records after a case makes the news, and eleven of 58 privacy breaches at MUSC in 2017 meet the criteria for snooping.

While the breach calls attention to the potential for privacy issues associated with electronic medical records, experts say patients shouldn’t worry excessively and most agree that digital medical records are more secure than hardcopy ones.

“Employees are granted access to medical records based on their jobs,” Elizabeth Willis, the corporate privacy officer at Roper St. Francis, said. “Everything they do online is traceable back to them.”  Therefore, perpetrators are more readily caught as every time a file is opened, this leaves a digital footprint.

Photo by Alejandro Escamilla on Unsplash

Steven Cardinal, a senior information security analyst at MUSC, said, that while larger security breaches have made national headlines in recent years, smaller ones still count.  “We just try to stress that a one-person breach is a bad thing for that one person,” Cardinal said. “That’s someone who came to us and trusted us.”

MUSC offers a mandatory annual training for all providers, including medical students, who have access to health records.  Cardinal said his department has been investing more resources into this training in order to further stress the importance of confidentiality. ”This isn’t going to go away,” he said. “The risks are going to keep increasing.”

MUSC administrators explained that the hospital was required to report all 58 patient privacy breaches in 2017 to the federal government.  Thirteen of those breaches resulted in termination.  One board member questioned whether the policy was “draconian.”

The Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, created national standards in the medical industry for protecting patient records and privacy.  The U.S. Department of Health and Human Services has been auditing more than 100 institutions for potential HIPAA violations, according to MUSC staff, and MUSC is preparing for the possibility of an audit.

MUSC spokesperson Heather Woolwine issued a statement explaining, “Some breaches are simply a case of information being faxed to the wrong clinic location, whereas others can involve misplaced curiosity or malice.”

Woolwine provided further information about security breaches and terminations at MUSC dating back to 2013.  Since that time, the center has identified 307 breaches and 30 employees have been fired for illegally accessing patient records.  No physicians have been terminated to date.”  Transparency is incredibly important, and necessary, to prevent and discourage future breaches,” she said. “While we know intellectually that we can’t prevent every breach, we will continue to try.”

Dr. Joseph Vanlear Dobson was suspended from MUSC for 29 days without pay in 2016 for looking at his ex-wife’s records fifteen times over the course of six years, between 2008 and 2014.  MUSC also discovered the physician had snooped on his ex-girlfriend’s records seventy times between 2014 and 2016.  Dobson’s ex-wife said she “did not believe that he did it with malicious intent” and his ex-girlfriend gave the pediatrician “retroactive” permission to look at the information.  But retroactive permission does not count in the eyes of the law.

Dobson, who resigned from MUSC in 2016, was fined $440 and was required to take a HIPAA course.  He currently works part-time at Summerville Medical Center and submitted the following statement concerning the matter, “I have proudly served patients and families in South Carolina for more than 15 years.  With reference to the Board of Medical Examiners matter, I completed all requirements, and the matter is closed.  My license to practice medicine is in good standing.”


MUSC terminates employees who ‘snoop’ in patients’ medical records

MUSC Fired 13 Over Patient Privacy Breaches

Join the conversation!