by John W. Mitchell
, Senior Correspondent | May 27, 2015
A radiologist who unlawfully accessed a colleague’s medical record has signed a consent agreement with the Ohio State Board of Medicine submitting to disciplinary action.
Dr. Aimee Hawley's actions violated the federal Health Insurance Portability and Accountability Act (HIPAA), and have resulted in her medical license being put on probation — although she is permitted to practice during the probation period.
Joan Wehrle, education & outreach program manager at the State Medical Board of Ohio, told DOTmed News the incident provides a learning opportunity to all caregivers. “No one can access a patient’s medical records unless they are a treating or consulting physician or have permission from the patient,” said Wehrle.
No reason was given for Hawley’s interest in the medical record and Wehrle said the source of the complaint is protected and confidential.
John Sanchez, president of Innova Health Associates and a certified expert in health care risk management and compliance, told DOTmed News that Hawley’s transgression is one of the more common HIPAA violations.
“Health care providers tend to have broad access to hospital medical record systems,” he explained. “Even though HIPAA and patient privacy regulations have been around for a number of years, there are still health care workers who do not have a strong understanding of the requirements.”
He noted that a good HIPAA compliance program tailors education to the target audience, be it physicians, nurses or coding and billing staff.
Patients and employees, he noted, most commonly report violations. Electronic health records widely adopted by hospitals and physicians also identify violations through ongoing software audits.
Beth Keehn, a spokesperson for Mercy Health St. Rita’s Medical Center, where the physician colleague was a patient, declined to comment to DOTmed News on the September 2013 incident, other than to say that Hawley left the hospital medical staff about a year ago.
The consent agreement, which is publicly attached to her medical license, requires Hawley to agree to a reprimand and probationary punishment. According to the agreement she “intentionally accessed the electronic medical records of a physician colleague (and) further admits that she was not a treating physician, nor was she asked to consult, or provide diagnostic service.”
Under the consent agreement Hawley agreed to several terms. These include: quarterly declarations to confirm compliance, face-to-face meetings as requested by the medical board, and attending medical ethics training, which includes submitting a written report on what she learned. She is also required to write a letter of apology to her physician colleague.
“Organizations and individuals may also face private civil tort actions as a result of a HIPAA violation," said Sanchez. "Some professional liability carriers are now offering data breach insurance as part of the risk management strategy, although the best strategy is to develop a sound HIPAA compliance program.”