There’s an update to the Coulee Medical Center breach, where 2,500 patients were notified that a physician had improperly shared PHI with his wife between January 2010 and November 2013. He subsequently claimed that his wife, an actuary, was helping him develop a statistical tool for analyzing data. Even so…
From HHS’s summary of their investigation:
“The covered entity (CE), Coulee Medical Center, reported that a CE-employed physician disclosed electronic protected health information (ePHI) to his wife without authorization. The ePHI involved in the breach included names, hospital account numbers, dates of service, CPT codes, and service descriptions for approximately 2,500 individuals. The CE provided breach notification to HHS and affected individuals. Upon discovering the breach, the CE sanctioned the physician, required the physician to complete comprehensive HIPAA training, and required all workforce members to complete annual HIPAA training. As a result of OCR’s investigation, the CE implemented new information security policies and procedures to better safeguard its ePHI. OCR provided the CE with technical assistance regarding what constitutes an adequate Security Rule risk analysis and risk management plan, as well as what constitutes adequate notice to the media pursuant to the Breach Notification Rule.