- The state of New York has suspended Martha Smith-Lightfoot, a former nurse at the University of Rochester Medical Center (URMC), for a HIPAA violation.
Smith-Lightfoot admitted to disclosing PHI when she took a list of more than 3,000 patients from URMC to her new employer, Greater Rochester Neurology (GRN), in 2015, explained a June 8 article in the Democrat & Chronicle.
The list included the patients’ names, addresses, dates of birth, and diagnoses. Smith-Lightfoot asked for the list to ensure continuity of care for the patients. However, she did not receive the permission of URMC or the patients to give the information to her new employer.
Smith-Lightfoot admitted to violating HIPAA in a consent order she signed with the state nursing board’s Office for Professional Discipline, the newspaper noted. In addition to a one-year suspension, she received a one-year stayed suspension and three years’ probation.
Attempts by the newspaper to reach Smith-Lightfoot were unsuccessful.
In 2015, URMC was fined $15,000 for the HIPAA violation, and it agreed to train its workforce on policies and procedures regarding handling of PHI. URMC was alerted to the breach when patients called the center to complain about letters they had received from GRN.
URMC sent notification letters to the affected patients, and the media was alerted. GRN has attested that all health information transmitted by URMC has been returned or deleted.
“This settlement strengthens protections for patients at URMC, and it puts other health care entities on notice that my office will enforce HIPAA data breach provisions,” said then-Attorney General Eric Schneiderman in a statement.
“My office is committed to protecting patients’ private health information. Other medical centers, hospitals, health care providers, and health care entities should view this settlement as a warning, and take the time now to review and amend, as needed, their own policies and procedures to better protect private patient information,” he added.
Under the settlement, URMC agreed to provide the attorney general’s office with its policies and procedures that govern the privacy, security, and breach notification regarding PHI, to identify any revisions it had made in the aftermath of the breach, and to provide a copy of any additional documents that provide guidance to its workforce about PHI policies and procedures for incoming and department staff.
In addition, URMC was required to train its workforce who regularly worked with PHI on policies and procedures revised in response to the breach and on any new guidance explaining existing policies and procedures for incoming or departing staff. It was also required to keep written records documenting the training and certify annually to the attorney general’s office that all members who work with PHI had received the training.
“URMC shall not involve any member of its workforce in the use or disclosure of protected health information if that workforce member has not received the required training,” the settlement noted.
In addition, the URMC agreed to notify the attorney general about a PHI breach within 60 days of the breach if the number of individuals affected exceeded 15, for three years from the settlement date.
State attorneys general are empowered under the HITECH Act to enforce HIPAA rules by permitting civil actions against violators.
Following the breach, the URMC Privacy and Security Executive Committee met to review its existing HIPAA privacy and security policies and protocols. The committee set up a task force to review and revise existing policies and protocols on permitted PHI disclosures for departing and incoming employees.
URMC began drafting stricter patient privacy rules for departing and incoming staff following the breach. “There are do’s and don’ts, and those are being very clearly spelled out in the policy guidelines that we're drafting," David Kirshner, who is senior vice president and chief financial officer for the medical center, told the Democrat & Chronicle.
"It's going to be very clear that obviously there does need to be some attention paid to ensuring continuity of care," said Spencer Studwell, the university's associate vice president for risk management.
Studwell, who served with Kirshner as co-chairmen of the Privacy and Security Executive Committee, said that “there's basically a right way and a wrong way to do it. We want to make sure going forward that people are always doing it the right way."