Community Health Systems, one of the nation’s largest for-profit hospital chains, recently reported a data breach involving an astounding 4.5 million patient records – and fingered a sophisticated Chinese cyber-espionage team as the culprit. While breaches of this magnitude make headlines, federal regulators report that the most common HIPAA violation is what they call “small-scale snooping.” That’s when a healthcare organization’s own employees peek into the medical records of friends, fellow workers and even celebrities. Here’s how to reduce your risk.
As you might guess, most celebrity snoops are in large metro hospitals, while “friends and neighbors” snooping is more common in smaller communities. Most snooping incidents go unreported, with many organizations quietly firing the employee and compensating the victim.
Some celebrity snoops are quite brazen, like the woman at UCLA Medical Center who was fired a few years ago for perusing the medical records of terminally ill Farrah Fawcett, California first lady Maria Shriver and other celebs. Last year, Cedars-Sinai Hospital fired a half-dozen employees for leaking information about Kim Kardashian’s newborn baby.
It’s important to note that most snoops aren’t high-level clinicians. The Kardashian snoops included one medical assistant and an unpaid student researcher. But hospitals are responsible for the activities of all employees, plus those of all business associates – including attorneys, IT consultants, accountants, and so on.
Unfortunately for hospitals of all sizes, mobile technology has made snooping much easier – just as penalties have gotten much tougher. A healthcare organization can now be fined $1.5 million per HIPAA violation in cases of willful neglect. Some hospitals are so fearful of these penalties that they’re creating bogus celebrity records to entice snoops (who can then be dismissed before doing any real damage).
But snoops now have Google Glass and other wearable devices that take eavesdropping to new levels. Because many of these contain small cameras, they can be used to surreptitiously capture another employee’s password. Then the snoop can access patient records when no one is looking, even from home (and transfer the blame to an innocent co-worker if discovered during activity monitoring).
Here are seven practical steps that any healthcare organization can take to help prevent snooping and avoid the resulting fines and reputational damage:
- Duh! Conduct the risk analysis required by HIPAA – This step alone shows your organization’s due diligence in protecting confidential patient data. Yet many organizations have only made a token effort instead of conducting a thorough risk analysis.
- Read my lips: No snooping tolerated – Every new hire should get both a written and verbal orientation to your organization’s zero-tolerance policy on snooping. This policy should also extend to all your business associates.
- Give employees only the “minimum necessary” access to Protected Health Information (PHI) – Your receptionist doesn’t need access to clinical data, which eliminates the temptation to peek into celebrity files – or those of an ex-spouse or neighbor.
- Change passwords frequently – Let employees know that password-sharing is strictly forbidden, and have them change passwords regularly to prevent password theft via mobile devices.
- Train against shoulder surfing – Make employees aware of “shoulder surfing” techniques and insist on privacy screens to prevent unauthorized individuals from snooping during an office tour or on their way to the water fountain.
- Stronger access controls – Your organization needs to establish and document controls for granting and terminating employee access to patient records, and access needs to be immediately rescinded when an employee leaves the organization.
- Make disciplinary actions crystal-clear – Employees should know up front what the consequences for snooping will be, such as suspension or termination of employment in cases of malicious intent.
Federal regulators have made it clear that medical snooping is not a frivolous offense. Specifically, they have stated that snooping does not meet one of the exclusions to the definition of a breach, thereby requiring a documented breach risk assessment following every snooping incident.
By implementing the safeguards outlined here, you can help avoid the high cost and reputational damage associated with snooping.
How effective are your information risk management strategies?Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.
This article was originally published on mHealth News.