Three Times This University Hospital Had to Act Against HIPAA Violations

Veriphyr proactively reports impermissible use of PHI the first time it happens.


Shoulder Surfing

A hospital at the University of Iowa fired a full-time medical assistant for breaching patient privacy by “shoulder surfing“.

The medical assistant was accused of looking over the shoulder of a co-worker while he examined a patient’s medical record. She claimed she only did this to see if the co-worker was examining a patient’s medical record without authorization.

The medical assistant then reported the co-worker and provided information about the patient being accessed to her supervisor. In response, the hospital fired her because she violated the Health Insurance Portability and Accountability Act (HIPAA) twice: once, when she looked at the patient’s records over her co-worker’s shoulder, and a second time when she gave her supervisor information about that patient.

According to the hospital spokesperson, this medical assistant had needed disciplinary action before (a).


Best Wishes to the New Mother

A couple years later, a different University of Iowa employee violated HIPAA with casual gossip.

The University of Iowa fired a student health medical assistant for discussing the positive pregnancy test of a well known athlete’s girlfriend. The university found it in violation of HIPAA to be discussing the results of the test.

In response, the employee stated she was simply hoping aloud that the pregnancy was happy news for the couple. She worked for the university health center for fourteen years. Each of those fourteen years would have included the annual privacy training (b).


Football Fanatics

Years earlier, thirteen football players at the University of Iowa required hospitalization for rhabdomyolysis, a stress-induced syndrome that can cause kidney problems (c). This required the school to investigate whether the grueling off season workouts were the cause, which gave rise to a flurry of press.

Unfortunately, publicity for patients can make their medical records more likely to be breached, and the college football players were no exception. The University hospital had to fire three employees and suspend two others for illegally accessing the medical records of the players. As a result, the disciplined employees could face fines or jail time (c).

Players and their families have been notified of the potential violations (d).

University of Iowa spokesperson Tom Moore said of the breach,

“we want to reassure patients that their privacy is one of our top priorities. Privacy and confidentiality is… the very cornerstone of trust between the healthcare provider and the patient” (c).

Veriphyr‘s advanced data analytics service automatically detects and reports impermissible use of patient data, so hospitals will be notified of a breach the first time it happens and prevent further HIPAA violations.

The Sources

(a) Des Moines Register 

(b) The Gazette, May 23, 2015

(c) KWWL News

(d) Press Release, January 28, 2011