Employee Snooping is the Most Common Cause of HIPAA Security Breaches

Share this article on:

The theft of mobile devices may result in the largest exposures of Protected Health Information; however the most common cause of HIPAA security breaches is small scale snooping by employees, according to a study conducted by Veriphyr Identity and Access Intelligence.

The study asked healthcare providers about the security breaches their organizations had suffered, with 70% of the survey respondents claiming to have experienced at least one security breach. 35% of those respondents attributed the breaches to unauthorized access by employees.

Snooping was the largest single cause of exposure of patient health information according to the survey with 27% of having experienced a breach when an employee viewed medical records of friends and family, while 35% occurred when employees checked the medical records of their work colleagues.

The survey was conducted on medium to large healthcare organizations; however there is no reason to suggest that small healthcare organizations do not suffer data breaches of a similar nature.

Employee Snooping is a HIPAA Violation

Unauthorized accessing of patient records may not make headline news, but the breach is still likely to be a reportable breach and could potentially trigger an investigation by the OCR. There have been cases where a HIPAA violation has attracted a financial penalty for the covered entity when only one or two individuals’ PHI has been accessed without authorization or their rights under HIPAA have been violated.

Generally, snooping should be reported to OCR and the individual(s) whose records were accessed must be notified, unless it is established that the employee accessed the records in good faith and within the scope of the workforce member’s authority, or the records were accessed by accident – See § 164.402.

All patient records must be protected and the appropriate administrative, technical and physical safeguards must be employed to keep all PHI secure and away from prying eyes. While it may not be possible to prevent unauthorized accessing of medical records in all cases, a monitoring system should be in place and access logs should be regularly reviewed to ensure that if PHI is accessed by an unauthorized individual, rapid action can be taken to limit the harm caused and prevent further records from being accessed. All too often employees are discovered to have accessed health records, without authorization, over a period of several months or years before the snooping is identified.

Steps Healthcare Organizations Can Take to Prevent Snooping

Organizations compliant with Meaningful Use must ensure that the ePHI of patients is secured, with HIPAA also requiring adequate physical, administrative and technical safeguards to be implemented to protect electronic health data. The starting point for assessing security risks in an organization is to conduct a Privacy and Security Audit. Only by thoroughly assessing all IT systems, procedures and policies can potential security threats be identified and eliminated.

When a Privacy and Security Audit is conducted, healthcare organizations must complete a four step procedure as detailed below:

  • Conduct a full risk analysis of all IT systems
  • Review and update risk management policies and procedures
  • Devise an employee sanction policy following HIPAA breaches and ensure it is communicated to all staff
  • Ensure logins and data access are logged and access logs are checked regularly; any irregularities found must be investigated promptly

If individual employees are required to have access to patient health records in order to perform their duties, there is little that can be done to prevent those individuals from accessing data should they wish. It is therefore essential for the staff to be advised of their obligations under Meaningful Use and HIPAA and be informed of the consequences of accessing ePHI without authorization.

It may not be possible to eliminate the risk of employee snooping; but the risk can be reduced and, provided data privacy and security rules are followed, it is possible to limit any damage caused and avoid a HIPAA violation penalty.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On