A former Cheyenne Regional Medical Center employee improperly accessed the records of about 1,600 patients over nearly two years, the hospital’s compliance director told Cowboy State Daily on Wednesday.
A recent internal investigation found that the former employee patients’ personal health records without permission between Aug. 31, 2020 and May 26, 2022, CRMC compliance director Gladys Ayokosok said on Wednesday.
“As far as HIPAA rules go, even if nothing serious happened when she accessed the information, if there is a disclosure where records access is not authorized, we’re required by federal law to send notices to the impacted patients and inform the community through various channels,” Ayokosok said.
HIPAA is the federal Health Insurance Portability and Accountability Act, a federal law which prohibits the release of patients’ health information without their consent.
Ayokosok said there was no indication the information from the files was shared with anyone outside the hospital.
The former employee did have permission to access to the hospital’s electronic health records system, however, the viewing of certain medical records was outside of her job scope.
Information in the health records included names, dates of birth, social security numbers, dates of care, medical record numbers, diagnoses and treatments.
The woman was able to access records for such a long time because she previously worked with the records provider, Ayokosok said.
“Sometimes you can go into the records by accident, so it just went on for some time without anybody noticing until we finally got a report,” she said.
Ayokosok said that certain employees have access to patient records, but despite this, there might be instances where they should not be looking through records.
“Right now, our IT team has created an audit trail, so we can (track) if an employee has accessed records more than the normal amount of times,” she said. “Now, the team can see why they’re actually in those records, making sure they’re accessing it based on job requirements and not snooping.”
The woman was reported by a fellow CRMC employee after she transferred to a different department within the medical center. Ayokosok said CRMC officials immediately took action when it was discovered she had been looking through records.
However, she did note that despite the woman looking at the records, it does not appear that she stole or attempted to steal patients’ information.
While she cannot rule out another employee potentially accessing patient records, Ayokosok said that this situation is an example for all employees to learn from.
The hospital will soon mail letters to the approximately 1,600 patients whose information was compromised.