Kennewick, Wash. – Trios Health has concluded its investigation into a former employee actions inappropriately accessing hospital medical records. A total of 1,603 patient medical records were accessed without authorization over a period of more than three years beginning in October 2013.
Trios publicly disclosed the breach—which was discovered as part of a thorough, planned compliance audit—on May 30 as the internal investigation continued. At that time, the electronic health records (EHRs) of approximately 600 patients were confirmed to have been accessed by the employee outside of normal job functions. The employee, who was placed on involuntary leave upon initial discovery of unauthorized EHR access, was terminated in May. The investigation concluded yesterday, June 22.
The former staff member had access to Trios Health’s EHR systems to perform assigned job responsibilities; however the patient EHRs considered to have been breached were those accessed by the staff member without a legitimate business purpose. Each unauthorized access of a patient EHR is a violation of the Healthcare Insurance Portability and Accountability Act (HIPAA) as well as Trios Health policy.
In compliance with HIPAA law, Trios self-reported the breach and has provided routine updates to the State Attorney General and Office of Civil Rights (OCR)—the agency within the U.S. Department of Health and Human Services that enforces privacy and security rules—for their own investigation. They will ultimately determine the extent of any repercussions to Trios Health as well as the former employee.
“We are deeply disappointed about the former employee’s actions, and to now be in a position to report so many additional patients potentially affected by those actions is regrettable to say the least,” said Elizabeth Rice, director of Health Information Management at Trios Health since January, and appointed compliance officer in April. “As upsetting as it is for all affected, we are not going to hide from this and pretend it didn’t happen. It did happen, it involves the actions of one person and is not broadly representative of our staff or our privacy standards, and we’re taking many steps to ensure it doesn’t happen again.”
The records accessed may have included information pertaining to a patient’s Trios Health visits (not including to outpatient Trios Medical Group providers), diagnoses, and demographic information including addresses, phone numbers, driver’s license numbers, and Social Security Numbers. As a precaution, all patients whose records were accessed without authorization are being notified and offered one year of free identity-theft protection and advanced fraud-monitoring services at Trios Health’s expense.
“Based on our investigation, we believe there is very low risk that any of the patient information accessed will be used or re-disclosed in the future,” said Rice. “However, offering that extra measure of protection to our patients is the right thing to do regardless of perceived risk. It’s crucial to us that our patients know we take the protection of their information very seriously.”
Healthcare employees receive extensive training and annual refreshers about compliance issues including the protection of patient health information and properly accessing patient EHRs. In response to the recent breach, Trios Health is deploying additional patient privacy training to staff as well as completing a full security risk assessment for privacy matters, adding software to caution employees as they initiate access to EHRs, auditing privacy policies, and implementing standard auditing processes to further protect patient health information.
Patients concerned about their health records, but who do not receive a notification by certified mail during the week of July 3 or do not have a current mailing address on file with Trios Health, may call the Health Information Management department at 509-221-5720 (option 2), Monday through Friday, between 7 a.m. and 4 p.m. Pacific Standard Time. They may also consult the Trios website for a list of Frequently Asked Questions at www.trioshealth.org/Privacy or submit questions not answered there to Privacy@trioshealth.org for response.