From Celebrities to the Ex-Factor, Snooping is a Serious Issue
Have you cataloged “Snooping” among your risk factors in your Risk Analysis?
Humans are curious beings by nature. With a little motivation we can get really nosy …which often leads to very bad outcomes for those tasked with safeguarding protected health information. Snooping, where individuals gain access to PHI as a result of curiosity or malicious intent, is a prevalent problem that can land your organization in serious trouble under HIPAA.
The regulators have made it quite clear that a covered entity or business associate is required to conduct a breach risk assessment and notify affected victims in the case of a snooping attack. Penalties for organizations have been severe, and in some cases snoopers themselves have been jailed for violating the privacy rule.
Many studies have documented the struggle HIPAA covered entities have with staff snooping. According to the research, most victims of snoopers are people they know. The motivation for snooping in these cases is most frequently what you could call the “ex” factor, e.g. the person is snooping on an ex-spouse, ex-partner, ex-friend. Not surprisingly, celebrity records are also very popular targets for snooping.
Curious what you can do to protect your organization from snoopers? Here are some ideas.
- Consider “snooping” as a threat agent in your Risk Analysis
- Reinforce the organization’s obligation to patients to protect their PHI
- Provide deep training on privacy and security requirements, controls, and potential penalties for noncompliance
- Underscore the potential consequences for the organization as a result of snooping – both financial and reputational
- Establish, communicate and apply stiff sanctions for employee violations
- Strengthen access controls so personnel only have access to the information they actually need
- Monitor unusual activity and pursue behavior change before it becomes a problem.
This also deters colleagues from going down an unfortunate path.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017