What was this worker for a healthcare provider thinking…didn’t/doesn’t the provider provide any kind of information security or privacy training or awareness communications…?

“Online Comments Lead To Privacy Complaint: Patients Say Their Privacy Was Violated
From April 2003 until the end of last year, the federal government has received nearly 1,500 complaints from patients in Pennsylvania, alleging privacy violations under HIPAA.”

Here

“are some of the comments, according to printouts one of the women saved: “Today is straight from hell!! I had enough yelling, swearing, bleeding, crying (expletive)” A woman’s abortions are mentioned. Another patient is ridiculed for asking about gingerbread cookies the doctor recommended for nausea, “Some women shouldn’t reproduce.””

The MySpace page reportedly contained names and details about patients and their care, complaints, symptoms, etc.
The healthcare provider should not only fire the worker, the Department of Health and Human Services (HHS) should also do an audit to determine if the provider should also be sanctioned. It looks like there may be some violations with regard to required policies, training and awareness.
We entrust some very sensitive information to our healthcare providers. They should be held to protecting that information, held to the full extent of the law, and sanctioned appropriately when they do not fully protect patient information.

Tags: awareness and training, HIPAA, Information Security, IT compliance, IT training, patient privacy, policies and procedures, privacy training, risk management, security training

This entry was posted on Thursday, December 4th, 2008 at 11:29 pm and is filed under Laws & Regulations, Privacy and Compliance, Privacy Incidents. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.