Are your employees breaching your PHI security procedures? We look at a recent example that highlights how quickly a single, unauthorized access can escalate into a costly lawsuit.
On August 13, 2014, 2NEWS Investigation reported a lawsuit had been filed against an Ohio Hospital by a woman alleging that her health information, and that of her daughter, had been impermissibly accessed by an ex-husband who was also an employee of the hospital.
What Was the Nature of the Impermissible Disclosure?
According to the woman, the hospital reported the violation to her and provided a log of numerous employees who, over a period of 15 months and with no responsibility for her care, looked repeatedly at her private records. Both women are suing the hospital and the snooper for invasion of privacy and negligence in establishing appropriate procedures to safeguard their health information.
“I don’t know if I could feel anymore violated then if I had just been stripped down naked and walked in front of every executive in Kettering,” she said.
What Procedures Existed to Ensure the Protection of the Information?
- The Director of Compliance Program for the hospital insists that not all employees have access to all of a patient’s record and that access is based on job title.
- Activity reports are run to alert compliance staff if a patient’s record was accessed by an unauthorized person.
- An independent third party is brought in every year to “look” at the IT infrastructure.
However, the two women filing the lawsuit say that isn’t enough.
What Should Organizations Do Next?
- Make sure that all employees know that snooping will not be tolerated
- Establish and apply severe disciplinary action for non-compliance with policies and procedures
- Give employees only the “minimum necessary” access to health information to do their jobs
- Strengthen procedures and authorization for initiating and terminating of access
- Establish activity monitoring protocols and regularly review reports
- Require that passwords are changed frequently
- Train against shoulder surfing
- Complete a thorough, bona fide risk analysis to identify all threats, vulnerabilities and controls associated with the protection of health information
What Resources Are Available to You?
- Download our FREE Whitepaper: Risky Business: how to Conduct a Bona Fide HIPAA Risk Analysis
- Read our related article “Mobile devices make snooping more tempting” on mHealthNews
- More useful information and updates can be found at PrivacyAssociation.org
Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.
Latest posts by Mary Chaput (see all)
- Call for State Privacy Laws to Align with HIPAA - February 13, 2017
- IF YOU HAVE TO DISCLOSE, LOOK YOUR BEST - December 27, 2016
- OCR is using audits to find risks and vulnerabilities that might not otherwise be known. - December 14, 2016