On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%
Immediate intervention following an instance of unauthorized access to protected health information (PHI) by a healthcare employee is 95% effective at preventing repeat offenses, according to a new study published in JAMA Open Network.
Healthcare data breaches are occurring at record levels, and while large data breaches are often the result of hacking and other IT incidents, insider breaches such as snooping on medical records are common. According to HHS data, in 2019, 92% of combined small and large breaches were tied to unauthorized access.
While many cases of employees snooping on the medical records of VIP patients have been covered in the media, these types of snooping incidents are relatively uncommon. It is much more common for healthcare employees to access the medical records of family members, friends, and colleagues, and those privacy violations can be just as damaging for patients.
All cases of unauthorized access start with an employee accessing a single patient record, but they can easily turn into major data breaches if left unchecked. There have been several HIPAA violation cases of healthcare employees accessing the medical records of thousands of patients without authorization over several years when the unauthorized access is not promptly identified and addressed.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
A study conducted by Bai, Jiang, and Flasher in 2017 found the risk of data breaches was higher at large academic medical centers than at other hospitals. Around one-quarter of the data breaches were HIPAA violation cases of employees accessing patient information without authorization.
The recent study, Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information: A Nonrandomized Controlled Trial, conducted by researchers at Michigan State University, Johns Hopkins, and Nick Culbertson, CEO and Co-founder of the healthcare compliance analytics firm Protenus, investigated the effectiveness of email warnings at preventing repeat offenses by employees.
Between January 1 and July 31, 2018, a system that monitored unauthorized accessing of PHI at a large academic medical center flagged unauthorized accessing of electronic medical records by 444 employees, all of whom were professional medical staff who were not part of the patient’s intervention team and did not have access permission.
A group of 219 employees was randomly selected and received an email warning on the night of their access. The email explained that the individual had been identified as having accessed a patient’s electronic medical record when there was no work-related reason for doing so, and that it was a privacy violation. The remaining 225 employees formed a control group and received no email warning.
In the group that received an email intervention, 4 employees out 219 went on to access patient information without authorization on a second occasion between 20 and 70 days after the initial unauthorized access. In the control group, 90 out of the 225 employees accessed the protected health information of patients again without authorization between 20 and 70 days after the initial unauthorized access.
While there were limitations of the study and the findings may not translate to other hospitals, it demonstrates that on-the-spot intervention can be highly effective at preventing further privacy breaches and that if no action is taken, employees are likely to continue to access patient data in violation of the HIPAA Rules.
“What an email warning can do to deter employees’ unauthorized access is stunning. A simple email can lead to big changes,” said Dr. Ge Bai, a professor at Johns Hopkins Carey Business School and Bloomberg School of Public Health, and corresponding author of the study.
For the duration of the trial, no disciplinary action was taken against any of the employees. Disciplinary action was taken after the trial was concluded against all employees involved for violating the PHI access policy of the medical center, which prohibits employees from accessing the records of family members, coworkers, friends, or other acquaintances without prior written authorization.