Veriphyr Identity and Access Intelligence has recently published a report into what causes the greatest threat to exposure of Protected Health Information (PHI). The study found that the theft of mobile devices may result in the largest exposures of PHI, however, the most common cause of HIPAA security breaches is small scale “snooping” by employees.
The study surveyed a large number of healthcare providers about the security breaches their organizations had suffered. They found that over 70% of those who responded had experienced at least one security breach. Nearly 35% of those respondents attributed the breaches to unauthorized access by employees.
This caused snooping to be the largest single cause of exposure of patient health information according to the survey. Of those surveyed, 27% had experienced a breach when an employee viewed medical records of friends and family, while 35% occurred when employees checked the medical records of their work colleagues.
The survey was conducted on medium to large healthcare organizations. Due to the nature of the “snooping”, it suggests that small healthcare organizations probably also suffer from data breaches of a similar nature.
Employee Snooping and HIPAA Violations
Unauthorized access of even a single patient record is not immediately reportable to the Office of Civil Rights, but still counts as a HIPAA violation. Only breaches involving the exposure of medical records of more than 500 individuals must be reported after discovery of the breach. The incident still could potentially trigger an investigation by the OCR into the health organisation’s practices.
All patient records must be protected and the appropriate administrative, technical and physical safeguards must be employed to keep all PHI secure and away from prying eyes. While it may not be possible to prevent unauthorized accessing of medical records in all cases, a monitoring system should be in case to ensure that if data is accessed by an unauthorized individual, rapid action can be taken to mitigate the any damage.
Advice to Healthcare Organizations
Organizations compliant with Meaningful Use must ensure that the ePHI of patients is secured. Furthermore, HIPAA also requires adequate physical, administrative and technical safeguards to be implemented to protect electronic health data. The starting point for assessing security risks in an organization is to conduct a Privacy and Security Audit. Only by thoroughly assessing all IT systems, procedures and policies can potential security threats be identified and eliminated.
When a Privacy and Security Audit is conducted, healthcare organizations must complete a four step procedure as detailed below:
• Conduct a full risk analysis of all IT systems
• Review and update risk management policies and procedures
• Devise an employee sanction policy following HIPAA breaches and ensure it is communicated to all staff
• Ensure logins and data access are logged and access logs are checked regularly; any irregularities found must be investigated promptly
If individual employees are required to have access to patient health records in order to perform their duties, there is little that can be done to prevent those individuals from accessing data should they wish and “snoop” on those they know. It is therefore essential that the staff is advised of their obligations under Meaningful Use and HIPAA Privacy and Security Rules and informed of the consequences of accessing ePHI without authorization.
It may not be possible to eliminate the risk of employee snooping; but the risk can be reduced and provided data privacy and security rules are followed it is possible to limit any damage caused and avoid a HIPAA violation penalty.