Two Employees Fired for Impermissible PHI Disclosures to Third Parties

By | March 8, 2021

Humana has discovered an employee of a subcontractor of a business associate impermissibly disclosed the protected health information of approximately 65,000 of its members to a third-party for training purposes.

Cotiviti was contracted by Humana to provide assistance requesting medical records and used a subcontractor to review the requested medical records. Under HIPAA, subcontractors used by business associates are also required to comply with HIPAA.

The privacy violations occurred between October 12, 2020 and December 16, 2020 and Cotiviti notified Humana about the HIPAA violation on December 22, 2020. Cotiviti has worked with Humana to ensure that safeguards are implemented to prevent similar privacy breaches in the future, and that those safeguards are put in place at any subcontractors it uses. The individual who disclosed the data is no longer employed by the subcontractor.

The types of data disclosed includes member names’, addresses, phone numbers, email addresses, dates of birth, full or partial Social Security Numbers, insurance identification numbers, provider names, dates of service, medical record numbers, treatment information, and medical images.

While the disclosures were not made for malicious purposes and further disclosures of the PHI are not believed to have occurred, Humana is offering affected individuals 2 years of complimentary credit monitoring and identity theft protection services.

UPMC St. Margaret Fires Employee for Impermissible PHI Disclosure

UPMC St. Margaret has discovered an employee impermissibly disclosed the protected health information of certain patients to a third-party organization without authorization.

On August 2020, UPMC, St. Margaret discovered a medication administration report had been sent to an organization when there was no legitimate work purpose for doing so. The report contained information such as names, UPMC identification numbers, and medication administration data, including drug name, dose, time/date of administration, and the reason for providing medication.

Following the discovery of the impermissible disclosure, the employee’s access to UPMC systems was terminated, as was the individual’s employment with UPMC after the investigation was completed. Affected individuals were notified about the privacy breach on March 5, 2021. No reason was provided as to the notification delay.

The post Two Employees Fired for Impermissible PHI Disclosures to Third Parties appeared first on HIPAA Journal.