Thirteen employees were fired in 2017 from the Medical University of South Carolina after administrators determined they had broken federal law by using patient records without permission, spying on patient files or disclosing private information.
Some of these privacy breaches involved high-profile patients.
MUSC staff explained to the hospital's Board of Trustees during a recent meeting that designated employees monitor the news media for any potential privacy breaches. Sometimes, they said, health care providers will "snoop" in patient records after a case makes the news. Eleven of 58 privacy breaches at MUSC in 2017 were categorized as snooping.
While other Lowcountry hospitals reported they fired no employees for such violations in 2017 or would not disclose any personnel data, the punitive actions taken at MUSC shed light on human resources decisions made by leaders at the state's top academic medical center, and more broadly, the security of confidential health care information in the digital age.
But patients shouldn't worry excessively about the security of their own information. Experts agree that digital medical records are more secure than paper ones.
Elizabeth Willis, the corporate privacy officer at Roper St. Francis, said the ability to track each employee who opens a record makes patient files less vulnerable to a security breach.
“Employees are granted access to medical records based on their jobs,” Willis said. “Everything they do online is traceable back to them.”
Steven Cardinal, a senior information security analyst at MUSC, told The Post and Courier most people characterize security breaches as the massive kind that make the news, such as the hacking that affected 79 million Anthem customers in 2015. But Cardinal's team has been communicating to MUSC's practitioners how small breaches can be harmful to patients, too.
"We just try to stress that a one-person breach is a bad thing for that one person," Cardinal said. "That’s someone who came to us and trusted us."
All MUSC providers, including medical students, who have access to health records are required to complete annual training. Cardinal said his department has been investing more resources into this training, including in-person forums open to everyone, to communicate the importance of the issue.
"This isn’t going to go away," he said. "The risks are going to keep increasing."
At the recent MUSC Board of Trustees meeting, staff explained that the hospital was required to report all 58 patient privacy breaches in 2017 to the federal government. Thirteen of those breaches resulted in firings. One board member questioned whether the policy was "draconian."
Staff explained that the threat of a federal audit prompted leaders to take swift action against employees who violated the Health Insurance Portability and Accountability Act of 1996. Commonly called HIPAA, the law created national standards for protecting patient records and privacy. The U.S. Department of Health and Human Services has been auditing more than 100 institutions for potential HIPAA violations, MUSC staff said, and MUSC is preparing for the possibility that it, too, might be audited.
In cases where HHS finds wrongdoing, it may impose fines, require the institution to develop a plan of correction and monitor the institution for a set period of time.
MUSC spokeswoman Heather Woolwine issued a statement underscoring that the hospital takes patient privacy seriously and deals with any breach quickly and decisively.
"Some breaches are simply a case of information being faxed to the wrong clinic location, whereas others can involve misplaced curiosity or malice," Woolwine said.
She provided further information about security breaches and terminations at MUSC dating back to 2013. Since then, MUSC has identified 307 breaches and 30 employees have been fired. Nearly half of all those firings occurred last year. None were physicians, Woolwine said.
"Transparency is incredibly important, and necessary, to prevent and discourage future breaches," she said. "While we know intellectually that we can’t prevent every breach, we will continue to try.”
Federal law requires health care providers to use electronic medical records. And while high-profile security breaches occasionally make national news, health care experts agree that digital records are less likely to be lost, stolen or rifled through in an electronic format.
Sharon Harper, a registered nurse and owner of Coastal Patient Advocates, explained that patients may request to see who has accessed their information.
“And if they couldn’t get it, their attorney certainly could,” Harper said.
At MUSC, some employees have violated the law when they poked around patient files where they weren't supposed to be looking. In one case, an ex-spouse repeatedly accessed his former wife's private information.
Dr. Joseph Vanlear Dobson was suspended from MUSC for 29 days without pay in 2016 for looking at his ex-wife's records 15 times between 2008 and 2014. MUSC found out through an additional investigation he had snooped on his ex-girlfriend's records 70 times between 2014 and 2016.
Dobson's ex-wife said she "did not believe that he did it with malicious intent" and his ex-girlfriend gave the pediatrician "retroactive" permission to look at the information.
But retroactive permission does not count as far as the law is concerned.
Dobson, who resigned from MUSC in 2016, was fined $440 and was required to take a HIPAA course, according to records published by the S.C. Board of Medical Examiners. Dobson now works part time at Summerville Medical Center and confirmed in a prepared statement that he resigned from MUSC.
"I have proudly served patients and families in South Carolina for more than 15 years," Dobson said. "With reference to the Board of Medical Examiners matter, I completed all requirements, and the matter is closed. My license to practice medicine is in good standing."
A spokesman for Trident Health, which owns Summerville Medical Center, would not disclose how many employees have been terminated for HIPAA violations at the hospital system in recent years.
Likewise, a spokesman for Roper St. Francis said the hospital system would not provide the number of employees fired for HIPAA violations.
A spokeswoman for East Cooper Medical Center said no one at the hospital has been fired for such a violation in the past five years, and a spokeswoman for the Ralph H. Johnson VA Medical Center offered data showing one employee in 2013 and one employee in 2018 were removed for HIPAA violations. More often, employees at the VA were reprimanded or suspended for violations.
"Violators are subject to administrative action and possible criminal prosecution for misuse," said Meredith Hagen, a spokeswoman for the Charleston VA hospital, in a statement. "The Privacy Officer and Information Security Officer continuously monitor for any inappropriate access to the records."
The federal Department of Health and Human Services, which polices the HIPAA law, did not respond to questions for this story.
Large HIPAA breaches — defined as those that affect more than 500 individuals — are searchable online. The federal database currently shows no large breaches under investigation in South Carolina. In the past five years, 23 large breaches have been reported in the Palmetto State. The most recent one took place at a Roper St. Francis facility and affected 576 individuals in January 2017.
That month, a digital camera used to take photos of newborn babies at Roper St. Francis Mount Pleasant Hospital was reported missing. The pictures and identifying information for approximately 500 babies were stored on the camera's memory card. The loss constituted a privacy breach, and the hospital was required to report the incident to the federal government.
In another large case, a South Carolina Medicaid employee transferred private records to a personal email account, compromising information for 228,435 people in 2012.
And while the federal government may levy large fines for HIPAA violations, a 2015 ProPublica investigation found it rarely issues financial penalties. In fact, among the 23 large breaches reported in South Carolina since 2010, the federal database does not indicate any fines were ever imposed.