This article was originally featured on Medical Practice Insider
When physicians hear the term “data breach,” they typically think of the headline-grabbing security breaches at major retailers like Target — or perhaps the ones where a clinician loses a laptop containing thousands of unencrypted patient records.
Yet the most common HIPAA violation is what regulators often call “small-scale snooping,” where a medical practice’s own employees peek into the medical records of friends, fellow workers and even celebrities. Not surprisingly, most celebrity snoops happen in large metropolitan practices, while “friends and neighbors” snooping is more common in smaller communities. Most snooping incidents go unreported, with many organizations quietly firing the employee and compensating the victim.
[See also: 3 crazy HIPAA breaches]
A few years back, several doctors and nurses were suspended for snooping into actor George Clooney’s medical records. In other high-profile cases, employees were fired for snooping into the files of Kim Kardashian, Tom Cruise, former U.S. Representative Gabrielle Giffords and a terminally ill Farrah Fawcett.
In recent years, the penalties for snooping have gotten much tougher. A practice can be fined $1.5 million per HIPAA violation in cases of willful neglect, and most data breaches involve multiple HIPAA violations.
To catch inside snoops, some hospitals and practices now create fictitious celebrity medical records as bait for the untrustworthy. Computer specialists then monitor who accesses the files. But let’s recognize that not every facility has the resources to take such measures.
Here are some pragmatic ways that small- to medium-size practices can help prevent snooping and avoid the resulting fines and reputational damage:
Conduct a security risk analysis, preferably guided by experienced compliance professionals.This step alone shows your practice’s due diligence in protecting confidential patient data, and is required by HIPAA.
Clearly communicate your no-snooping policy to all employees. Every new hire should get both a written and verbal orientation to your practice’s zero-tolerance policy on snooping. This policy should also extend to all your business associates, including accountants, lawyers and IT professionals. Due to changes in HIPAA rules, your practice can now be fined if a business associate does the snooping.
Give employees only the “minimum necessary” access to protected health information (PHI).Your receptionist doesn’t need access to clinical data, which eliminates the temptation to peek into Brad Pitt’s files – or those of an ex-spouse or neighbor.
Password-protect medical files depending on “need to know.” Employees should be frequently reminded that your practice prohibits the sharing of passwords and user IDs.
Document a formal process for initiating and terminating access. Your office manager should establish and document controls for granting and terminating employee access to patient records — and access needs to be immediately shut down when an employee leaves the practice.
Communicate and enforce disciplinary actions for snooping. Employees should know upfront what the consequences will be, such as suspension or termination of employment in cases of malicious intent.
Conduct background checks. Follow ERISA rules, but conduct background and reference checks before new employees start the job. Many snooping violations go unreported, but running these checks will represent reasonable due diligence and may prevent costly fines and a tarnished reputation.
Allow patients to restrict the sharing of PHI. You’re required to honor a patient’s special request for privacy (e.g., an ex-spouse of one of your nurses requesting that he/she not have access to PHI).
A major healthcare system can absorb a million-dollar security fine and stay afloat, but it can ruin a small- to medium-size practice. Make sure that your practice doesn’t get blindsided by one of your own employees who gets nosy about a neighbor or wants to leak information to TMZ or National Enquirer.
Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.
Latest posts by Mary Chaput (see all)
- Call for State Privacy Laws to Align with HIPAA - February 13, 2017
- IF YOU HAVE TO DISCLOSE, LOOK YOUR BEST - December 27, 2016
- OCR is using audits to find risks and vulnerabilities that might not otherwise be known. - December 14, 2016