The U.S. Department of Health & Human Services has launched a federal probe into HIPAA privacy violations at the University of Cincinnati Medical Center, according to an HHS spokesperson.

The investigation stems from when a financial services employee of the hospital accessed the detailed billing records of a patient with a sexually transmitted disease and shared them with someone who deliberately and maliciously published those records on Facebook, taunting and ridiculing the patient.

The investigation began last week after Healthcare IT News contacted HHS to ask about the incident. HHS spokesperson Rachel Seeger also said that the incident -- which resulted in the hospital firing the employee shortly after the hospital learned of the incident and an imminent lawsuit -- should have been reported to the HHS Office for Civil Rights before March 1, 2014. Late last week, Seeger said, "This is the first that we have heard of that incident."

[See also: Cincinnati center hit with privacy suit.]

The hospital's response? The University of Cincinnati Medical Center had indeed reported the incident to the government long before the March 1, 2014, deadline and has the proof that it filed, according to hospital spokesperson Diana Maria Lara. "We have confirmation we notified the Secretary of HHS via their website portal on October 3rd, 2013 at 12:57 PM," Lara said, adding, "I cannot show you a copy as it would violate HIPAA. We have confirmation it was received by HHS."

As for the federal investigation, Lara said, "We have not received any notification from HHS regarding any investigation."

When HHS spokesperson Seeger was asked about the specifics of the investigation and whether the hospital had been notified, she replied via email saying: the HHS Office for Civil Rights "cannot comment on open investigations. I regret that I cannot offer further details."

At this early stage, an investigation's launch may mean little. When a news report or lawsuit speaks of activities that would seem to violate HIPAA rules, HHS would have little choice but to launch an investigation to determine if a fine was merited, either for the incident or for the failure to report (which the hospital disputes) or both.

[See also: Groups hit with record $4.8M HIPAA fine.]

What made the original incident so problematic is that it seemed to be a clear case of someone using HIPAA-protected data deliberately and maliciously to humiliate and otherwise attack a patient. The argument in the hospital's favor is that posting of data on Facebook was not done by the employee, but by someone with a direct relationship to the patient (father of her then unborn child). Could that hospital employee have thought it was OK to share such information with the baby's father?

This calls into question the hospital's policies and procedures and whether a financial employee should have been able to access intimate medical details, especially when there was no business to have even accessed that patient's account. From an IT perspective, it asks what access restrictions are realistic and reasonable. How much can/should a hospital restrict access? Would such restrictions hurt employee efficiency in trying to clean up billing problems?