Are your employees breaching your PHI security procedures? We look at a recent example that highlights how quickly a single, unauthorized access can escalate into a costly lawsuit.

What Happened? 

On August 13, 2014, 2NEWS Investigation reported a lawsuit had been filed against an Ohio Hospital by a woman alleging that her heasnooping blog graphicslth information, and that of her daughter, had been impermissibly accessed by an ex-husband who was also an employee of the hospital.

What Was the Nature of the Impermissible Disclosure? 

According to the woman, the hospital reported the violation to her and provided a log of numerous employees who, over a period of 15 months and with no responsibility for her care, looked repeatedly at her private records.  Both women are suing the hospital and the snooper for invasion of privacy and negligence in establishing appropriate procedures to safeguard their health information.

“I don’t know if I could feel anymore violated then if I had just been stripped down naked and walked in front of every executive in Kettering,” she said.

What Procedures Existed to Ensure the Protection of the Information?  

  • The Director of Compliance Program for the hospital insists that not all employees have access to all of a patient’s record and that access is based on job title.
  • Activity reports are run to alert compliance staff if a patient’s record was accessed by an unauthorized person.
  • An independent third party is brought in every year to “look” at the IT infrastructure.

However, the two women filing the lawsuit say that isn’t enough.

What Should Organizations Do Next? 

  • Make sure that all employees know that snooping will not be tolerated
  • Establish and apply severe disciplinary action for non-compliance with policies and procedures
  • Give employees only the “minimum necessary” access to health information to do their jobs
  • Strengthen procedures and authorization for initiating and terminating of access
  • Establish activity monitoring protocols and regularly review reports
  • Require that passwords are changed frequently
  • Train against shoulder surfing
  • Complete a thorough, bona fide risk analysis to identify all threats, vulnerabilities and controls associated with the protection of health information

What Resources Are Available to You?

Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.

Mary Chaput

CFO & Chief Compliance Officer at Clearwater Compliance
Mary has 35 years of international and domestic business experience spanning the healthcare, information services, manufacturing and venture capital consulting industries.She is Clearwater’s CFO and Compliance Officer. As an experienced corporate CFO and risk manager, Mary works actively with customers and prospects to identify and prioritize their risks and to develop effective remediation plans within their budgets.