According to a Monday WCCO-TV news report, a nurse employed by Minnesota Blue Cross Blue Shield stands accused of illegally accessing a state database containing the prescription drug records of approximately 1 million state residents.
The database – administered by the Minnesota Board of Pharmacy – contains names, addresses and prescription records and was set up in an attempt to monitor the abuse of pharmaceutical products and prescription drugs. When an individual has an addiction, they usually visit multiple locations to obtain their prescriptions and by monitoring the database cases of medication abuse and addiction can be identified.
Minnesota Blue Cross Blue Shield is permitted to access the database in order to monitor drug use in state-run medical programs and receives payment from the state to do so. Two employees are granted access for this purpose.
In 2010, the Minnesota Department of Human Services and Blue Cross Blue Shield gave one of its registered nurses, Jim Johnson, access to the database for this purpose. In March 2012 he was reassigned and another employee took on the role.
However, instead of Johnson’s access rights being terminated, he was still able to login to the database and he continued to do. It was only when an audit – 8 months later – uncovered 249 cases of improper access that rights to view the database were terminated. During that time Johnson is alleged to have viewed the prescription information of 56 individual patients on numerous occasions.
A state investigation into the data breach determined that Johnson accessed patients’ personal social media accounts, and on one occasion, a picture of a patient was emailed to other Blue Cross Blue Shield employees via an internal network. These are breaches of the HIPAA Privacy Rule, which prevents the sharing of Protected Health Information and personal identifiers without the consent of the patient.
Under HIPAA Rules, access to Protected Health Information (and personally identifiable information) must be restricted and monitored. If Johnson’s new position did not require access to the data, it would violate HIPAA Rules if his access was not stopped when his position changed. The delay of 8 months is also another potential HIPAA violation as data access logs should be monitored frequently for signs of inappropriate access.
While the audit suggested 56 patient records had been viewed, the Minnesota Department of Human Services claims only 16 records were illegally accessed by Johnson, with the remainder being legitimate access attempts. The number of victims has not yet been confirmed, but regardless of the total it a HIPAA violation.
According to WCCO reporters, the Minnesota Department of Human Services claimed it was not bound to report the breach to the Department of Health and Humans Services’ Office for Civil Rights as it involved fewer than 500 individuals.
Under the HIPAA Breach Notification Rule, breaches involving fewer than 500 individuals do not need to be reported immediately, but breach notification reports must still be sent to the OCR annually. If the Minn. DHS is unaware of this requirement and has not been reporting sub-500 record breaches, this would violate the HIPAA.
The WCCO report focuses on Johnson’s background and suggests that Minnesota BCBS may also have breached HIPAA rules by failing to conduct a background check on Johnson prior to employing him for a position that allowed access to the prescription database.
Johnson has a history of narcotics theft, and while it is not illegal to grant access to the prescription database to an individual with a past history of narcotics theft, it is a questionable decision. According to the WCCO-TV report, when its reporters contacted the Minnesota Department of Human Services and the Minnesota Board of Pharmacy regarding Johnson’s background, both claimed to be unaware of his history.
WCCO-TV reporters found it easy to find out about Johnson’s history as it is detailed on the Board of Nursing’s website. Johnson had previously admitted to stealing narcotics meant for critically ill infants at Children’s Hospital in St. Paul and his employment was terminated in 2000, two years later he admitted to stealing morphine after testing positive, and lost his job at Unity Hospital in Fridley. In spite of these cases of drug theft, Johnson retained his nursing license and started work with BCBS three months later.
While not specifically mentioned in HIPAA Rules, a background check on any new employee should be conducted – or at least references obtained – prior to granting access to a database containing the PHI of a million individuals.
Johnson told state investigators that he had previously informed his supervisor that his access to the database had not been stopped. If this was the case, BSBC would find it difficult to argue that they were unaware of the problem.
Although no HIPAA violations have been proven, the incident strongly suggest a number of HIPAA Rules have potentially been broken, some of which may constitute willful neglect and could conceivably carry the maximum penalty of $1.5 million per violation category, per year it was allowed to persist. For individual violations, the penalty for willful neglect is a minimum of $50,000 per violation. Johnson could face charges for improper access.