The Minneapolis Star Tribune has reported that two hospitals in Anoka County, Minnesota, terminated a combined total of 32 employees for unauthorized access of electronic medical records on May 6, 2011. The two hospitals, Unity Hospital in Fridley, Minnesota and Mercy Hospital in Coon Rapids, Minnesota, are both part of the Allina Health System. In April, the Minnesota Court of Appeals, in an unemployment compensation decision, upheld the enforcement of Allina’s "zero-tolerance policy" with regard to unauthorized access to medical records. Allina relied on the same policy in the latest firings.
The records leading to the mass termination related to a tragic incident involving 11 teenagers and young adults who were hospitalized after overdosing on synthetic drugs after a party on March 17. One of them, a 19-year old, died and murder charges have been brought against a Blaine, Minnesota, man who allegedly provided the drugs.
Allina stated that it has the ability to track any employee’s access of electronic medical records and, because these patients were involved in a "high profile case," the hospital conducted a review of their audit trails and discovered that 32 employees had accessed the records without authorization.
The increasing use of electronic medical records make these types of audits easier and more important than ever before. Although the high number of employees involved is unusual, according the Star Tribune report, it is not the largest on record – in 2007 more than 100 employees were suspended from another Minnesota medical provider for similar concerns.
The HIPAA security regulations require that covered entities be able to audit activities on information systems containing electronic protected health information. With increasing agency enforcement, health care providers and other covered entities and business associates should revisit this aspect of the HIPAA policies and procedures.
Update: read the Star Tribune editorial justifying the firings.