University of Colorado Health

On October 9, 2015, University of Colorado Health, the covered entity (CE) discovered that a nurse working in one of the CE’s network hospitals impermissibly accessed 827 individuals’ medical records between October 2014 and September 2015. The CE discovered the nurse’s impermissible accesses after an anonymous individual telephoned the CE’s privacy hotline regarding the nurse’s suspected conduct. To carry out these impermissible accesses, the nurse utilized the CE’s electronic health record (EHR) application. The CE provided breach notification to HHS, the media, and affected individuals. Based on the breach and OCR’s investigation, the CE sanctioned the nurse and terminated her access to the EHR. The CE also retrained nursing staff regarding use of the EHR in accordance with HIPAA. The CE has reported similar breaches to OCR, and OCR has consolidated the unresolved issues from this breach into a review along with related compliance concerns arising from the CE’s other breaches.
Location of breached information: Electronic Medical Record
Business associate present: No