Jessica Meier, 41, of Hamlin, NY, was accused of unauthorized access of the health records of a patient, on countless instances in an effort to discover facts that may be employed in a child custody case. She was an ex-employee of ACM Global Laboratories, which is an associate of Rochester Regional Health,
The supposed HIPAA violations were put under a criminal investigation when allegedly Jessica Meier had abused her access rights to patient data for malicious reasons.
Kristina Ciaccia had a relationship with the half brother of Meier in the past and has an extended child custody case. In court, Ciaccia knew of a historic visit by her own brother to the Rochester Regional Health emergency room, when she herself did not know about the visit. She suspected the snooping on the medical records of her family and reported the issue to Rochester Regional Health.
In accordance with the court records, the Rochester Regional Health audit showed that Meier had accessed Ciaccia’s private medical records on over 200 times from March 2017 to August 2019 without any legit work reason. It was also affirmed that Meier had seen the health records of Ciaccia’s family members.
Ciaccia submitted a report of the criminal HIPAA violations to law enforcement, which prompted the investigation. Meier had an arraignment in Gates Town Court on February 11, 2019 regarding 215 felony counts of computer trespass plus 215 counts of a misdemeanor for the unauthorized access of a computer. The case will likely be heard before a grand jury after Meier pleaded not guilty to all counts.
Snooping into somebody’s health records must be held accountable and charged. Ciaccia feels that Rochester Regional Health must also be held responsible, not for the breach but for the inability to tag a recurring privacy violation that happened for over two years.
Rochester Regional Health only knew about the unauthorized health record access after Ciaccia submitted a report of the potential privacy violation. Ciaccia stated that she felt like Rochester Regional paid Meier all year to access her health records. Rochester Regional Health subjected Meier to disciplinary action after being aware of the unauthorized access.
HIPAA necessitates healthcare institutions to employ safety measures to protect the confidentiality, availability, and integrity of patient data. Even though there are access controls and other security measures implemented, it isn’t possible to stop all instances of improper access to health records by employees. Nevertheless, when improper accesses occur, they must be identified immediately.
HIPAA expects healthcare organizations to maintain audit logs to monitor the accessing of protected health information. Those logs make it possible to perform audits, like the case when Ciaccia brought the matter to Rochester Regional Health’s attention.
HIPAA additionally calls for the regular checking of audit logs to recognize unauthorized PHI access. If the audit logs were monitored more carefully, Rochester Regional Health should have identified the privacy violation and applied the sanctions against Meier a lot sooner.