Share this article on:
The theft of mobile devices may result in the largest exposures of Protected Health Information; however the most common cause of HIPAA security breaches is small scale snooping by employees, according to a study conducted by Veriphyr Identity and Access Intelligence.
The study asked healthcare providers about the security breaches their organizations had suffered, with 70% of the survey respondents claiming to have experienced at least one security breach. 35% of those respondents attributed the breaches to unauthorized access by employees.
Snooping was the largest single cause of exposure of patient health information according to the survey with 27% of having experienced a breach when an employee viewed medical records of friends and family, while 35% occurred when employees checked the medical records of their work colleagues.
The survey was conducted on medium to large healthcare organizations; however there is no reason to suggest that small healthcare organizations do not suffer data breaches of a similar nature.
Employee Snooping is a HIPAA Violation
Unauthorized access of a single patient record may not make headline news and the matter is not immediately reportable to the Office of Civil Rights – only breaches involving the exposure of medical records of more than 500 individuals must be reported after discovery of the breach – although the incident is still classed as a HIPAA violation and could potentially trigger an investigation by the OCR.
All patient records must be protected and the appropriate administrative, technical and physical safeguards must be employed to keep all PHI secure and away from prying eyes. While it may not be possible to prevent unauthorized accessing of medical records in all cases, a monitoring system should be in case to ensure that if data is accessed by an unauthorized individual, rapid action can be taken to mitigate the any damage.
Steps Healthcare Organizations Can Take to Prevent Snooping
Organizations compliant with Meaningful Use must ensure that the ePHI of patients is secured, with HIPAA also requiring adequate physical, administrative and technical safeguards to be implemented to protect electronic health data. The starting point for assessing security risks in an organization is to conduct a Privacy and Security Audit. Only by thoroughly assessing all IT systems, procedures and policies can potential security threats be identified and eliminated.
When a Privacy and Security Audit is conducted, healthcare organizations must complete a four step procedure as detailed below:
- Conduct a full risk analysis of all IT systems
- Review and update risk management policies and procedures
- Devise an employee sanction policy following HIPAA breaches and ensure it is communicated to all staff
- Ensure logins and data access are logged and access logs are checked regularly; any irregularities found must be investigated promptly
If individual employees are required to have access to patient health records in order to perform their duties, there is little that can be done to prevent those individuals from accessing data should they wish. It I therefore essential that the staff is advised of their obligations under Meaningful Use and HIPAA Privacy and Security Rules and informed of the consequences of accessing ePHI without authorization.
It may not be possible to eliminate the risk of employee snooping; but the risk can be reduced and provided data privacy and security rules are followed it is possible to limit any damage caused and avoid a HIPAA violation penalty.