A previous staff member of ACM Global Laboratories, part of Rochester Regional Health, has been accused of viewing the medical records of a patient, without permission, on hundreds of occasions to try and find data that could be submitted as part of a child custody battle.
A criminal review was initiated into the alleged HIPAA breaches by Jessica Meier, 41, of Hamlin, NY, when it was thought that she had been abusing her access rights to patient information for malicious reasons.
Kristina Ciaccia had previously been in a relationship with Meier’s half brother and has been in a long child custody battle. In court, Ciaccia was advised about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself did not know about the visit. Suspecting snooping on her family’s medical histories, Ciaccia reported the matter to Rochester Regional Health.
According to court documents, the Rochester Regional Health audit showed that Meier had accessed the private medical records of Ciaccia on more than 200 times between March 2017 and August 2019, without any legitimate work reason for doing so. It was also confirmed that Meier had viewed the medical records of members of Ciaccia’s family.
Ciaccia said that the criminal HIPAA breaches to the police and an investigation was begun. Meier was arraigned in Gates Town Court on Tuesday, February 11, 2019 on 215 felony counts of computer trespass and 215 counts of misdemeanor unauthorized use of a computer. Meier pleaded not guilty to all counts and the case is predicted to go before a grand jury.
Ciaccia told News 10 NBC. Ciaccia also believes Rochester Regional Health should be held accountable, not for the breach itself, but for the failure to identify an ongoing privacy violation that spanned more than two years. He said: “If you go in somebody’s medical records, you deserve to be charged. You deserve to be held accountable”.
The unauthorized medical record access was only found after Ciaccia reported the possible privacy breach to Rochester Regional Health. He said: “I feel like Rochester Regional pay her all year to go in my medical records, said Ciaccia.” Upon finding unauthorized access, Rochester Regional Health took disciplinary action against Meier.
HIPAA obligates healthcare groups to create safeguards to ensure the confidentiality, integrity, and availability of patient information. Even if access controls and other measures are established, it is not possible to stop all cases of improper accessing of medical records by staff members. However, when instances occur, they should be identified swiftly.
HIPAA obligates audit logs to be maintained to record access to protected health data. Those logs allow audits to occur, as was the case when the matter was brought to the attention of Rochester Regional Health by Ciaccia.
HIPAA also states that audit logs to be constantly reviewed to identify unauthorized accessing of PHI. Had the audit logs been reviewed more closely, the privacy violation could have been identified and sanctions could have been applied against Meier more quickly.