While working at a healthcare facility I happened to notice a nurse practitioner reviewing the

medical records of her ex-husband. I know that there is no authorization on file granting the
provider access to this person’s EHR.

The Health Insurance Portability and Accountability Act (HIPAA) sets forth policies and
standards for how patient information may be shared. The U.S. Department of Health and
Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA
privacy and security rules. The NP violated the HIPAA Privacy Rule. “The Privacy Rule
standards address the use and disclosure of individuals’ health information (known as “protected
health information”) by entities subject to the Privacy Rule. These individuals and organizations
are called “covered entities”” (CDC, 2020).

My organization must notify the ex-husband about the breach of his records including what
information was accessed and when.

After conducting an internal audit, I discovered that the NP only accessed this one record
without permission or reason which constitutes a Tier 3 violation. I will also be terminating
the NP as we have a strict compliance rule regarding “snooping” in the EHR and will report
her action to the state board as well as HHS.

As an organization, we will conduct monthly access audits and update our bi-annual HIPAA
training as well as sending out a reminder to staff about HIPAA compliance and privacy rules.

Through my organization’s corrective actions and allowing that we do not have any further
breaches we most likely will not face sanctions.

Facts that may have led to a different conclusion are if the NP was found to have accessed
more than 500 charts without permission or reason. In this case, HHS OCR would need to
investigate which could possibly lead to civil and criminal charges against the NP and perhaps
the organization depending upon the investigation’s determination.

I think it is very important that you pointed out that you said an employer's policy might still
be violated if the person does not notify the employer of her actions ahead of time or formally
request the records which could still lead to disciplinary action. When I worked for a local
hospital a few years ago during training it was stipulated that even if I had permission to
access say my child’s EHR I would still be in breach of company privacy rules if I looked up
his record (or even my own for that matter) without first going through the proper channels.

I’m still not sure if she is allowed to access her ex-husband’s medical record from the
scenario you listed. This is still a huge HIPAA violation and is ethically unsound. The NP
should not be providing healthcare services to her ex-husband especially if he cannot
willingly consent (unless there is an actual emergency). This is a huge compliance and
confidentiality issue not to mention an ethical one. There is no reason this NP should have
been looking at her ex-husband’s record and, in my opinion, should be terminated.
American Medical Association (AMA). (2020). HIPAA violations & enforcement. Retrieved
from https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement
Centers for Disease Control and Prevention. (2020). Health Insurance Portability and
Accountability Act of 1996 (HIPAA). Retrieved from
https://www.cdc.gov/phlp/publications/topic/hipaa.html
HIPAA Journal. (2018, April 3). What happens if you break HIPAA rules? Retrieved from
https://www.hipaajournal.com/what-happens-if-you-break-hipaa-rules/