Reporting privacy violations

March 3, 2006

I'm part of a group surgical practice. After we dismissed one of our employed physicians, he accessed patient files from his home computer. Was this a HIPAA violation and, if so, whom should we contact to complain about his actions?

Q: I'm part of a group surgical practice. After we dismissed one of our employed physicians, he accessed patient files from his home computer. Was this a HIPAA violation and, if so, whom should we contact to complain about his actions?

A:To answer the first part of your question, Yes, this was probably a HIPAA violation. Once you dismissed the employed physician, he was no longer entitled to records that belong to the practice, unless patients specifically authorized that they be transferred to him. As for filing a complaint (there's no mandatory reporting requirement), contact the regional Office for Civil Rights, US Department of Health and Human Services, for your region. (To file a complaint online, go to http://www.hhs.gov/ocr/privacyhowtofile.htm, where a list of regional offices is included.)

There's another issue you should consider, however: Why was your former employee able to access practice records in the first place? And do you have appropriate security measures in place to prevent this kind of thing from occurring again? If the answer to the second question is No, take appropriate action to ensure that your medical record system is secure.