From Celebrities to the Ex-Factor, Snooping is a Serious Issue

Have you cataloged “Snooping” among your risk factors in your Risk Analysis?

Humans are curious beings by nature. With a little motivation we can get really nosy …which often leads to very bad outcomes for those tasked with safeguarding protected health information. Snooping, where individuals gain access to PHI as a result of curiosity or malicious intent, is a prevalent problem that can land your organization in serious trouble under HIPAA.

 The regulators have made it quite clear that a covered entity or business associate is required to conduct a breach risk assessment and notify affected victims in the case of a snooping attack. Penalties for organizations have been severe, and in some cases snoopers themselves have been jailed for violating the privacy rule.

Many studies have documented the struggle HIPAA covered entities have with staff snooping. According to the research, most victims of snoopers are people they know. The motivation for snooping in these cases is most frequently what you could call the “ex” factor, e.g. the person is snooping on an ex-spouse, ex-partner, ex-friend. Not surprisingly, celebrity records are also very popular targets for snooping.

Curious what you can do to protect your organization from snoopers? Here are some ideas.


  • Consider “snooping” as a threat agent in your Risk Analysis
  • Reinforce the organization’s obligation to patients to protect their PHI
  • Provide deep training on privacy and security requirements, controls, and potential penalties for noncompliance
  • Underscore the potential consequences for the organization as a result of snooping – both financial and reputational
  • Establish, communicate and apply stiff sanctions for employee violations
  • Strengthen access controls so personnel only have access to the information they actually need
  • Monitor unusual activity and pursue behavior change before it becomes a problem.
    This also deters colleagues from going down an unfortunate path.


Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.