The widespread adoption of electronic health records in hospitals and physician offices has led, some would say inexorably, to equally widespread HIPAA violations by employees of those healthcare providers. Unauthorized access to medical records of celebrities, friends, family members, and neighbors of staff members of HIPAA Covered Entities, is the bane of HIPAA Privacy Officers everywhere.
In this Article …
Notable Examples of Employee Snooping Behavior
Naturally, unauthorized access to the patient health information of celebrities gets a lot of attention from the Office for Civil Rights (OCR). The OCR is the agency within the Department of Health and Human Services (HHS) that investigates data breaches and all other types of unauthorized disclosure of protected health information. Some sample cases:
- Brittany Spears was a victim of employee snooping as far back as 2005 when the health records of her son were accessed for no business reasons by employees at an LA area hospital. A second incident followed in 2008. Both incidents resulted in terminations of workforce members who viewed the patient records.
- Up to two dozen staff members were suspended after unauthorized viewing of patient records of George Clooney at a New Jersey hospital in 2007.
- UCLA terminated four workers and paid a $95,000 fine after the workers accessed the medical records of Michael Jackson in 2010.
- Three staff members and a contract nurse were terminated after snooping in the medical records of shooting victim Congresswoman Gabrielle Giffords in 2011.
- UCLA was fined $865k after staff members accessed the protected health information of two celebrities in 2011. In 2010, a former employee pleaded guilty to four counts of illegally looking at medical records of celebrities. The employee was sentenced to four months in federal prison.
If you’re noticing a pattern here, you’re right. Consequences go from suspension to termination to fines to jail time. All those levels of penalties – including jail time – are possible under HIPAA laws and regulations.
Employee Snooping on Non-Celebrities
A covered entity like a hospital must also deal with EHR snooping into patient records where the patients were not celebrities but were mostly co-workers, family members, and friends of hospital employees. These cases don’t make the “HIPAA Wall of Shame“, which details each HIPAA violation that affects 500 or more persons. But there are a lot of them! In our role as Privacy Officer for several healthcare industry clients, we have seen many, many examples of snooping into patient information without a business reason. Some represent misguided curiosity; others were malicious or for personal gain. They are all security breaches; one could even be a criminal HIPAA violation.
- A Registration employee accessed all parts of a patient’s chart with no business reason. The employee said she was checking the physician’s notes and other sections for “safety purposes”.
- Employee A had a falling out with Employee B, both at work and outside of work. Employee B accessed the protected health information of Employee A with no business reason. Employee B denied the invasion despite access logs showing the snooping. Employee A was eventually advised to report the offsite harassment to law enforcement.
- All staff members of one hospital clinic were routinely accessing each other’s electronic health records.
- A physician employee accessed her own chart and entered a referral for specialty care.
- Employees C and D were married but were divorcing. Employee D entered into a relationship with Employee E. Employee E accessed the chart of the child of C and D looking for information to use in a custody hearing.
- Three employees worked in a clinic together. Employees F and G were looking into Employee H’s chart. F and G noticed who H specified as an emergency contact. F and G thought H should use her mother as an emergency contact so they changed the name and number of the emergency contact in H’s chart without H’s knowledge.
- A group of hospital work colleagues were going on a trip and needed proof of negative Covid 19 testing, which was done at the hospital where they all worked. The organizer of the trip felt all her fellow travelers might not get their test results in time, so she used her login credentials to look up all the results and print them out.
- A woman who was part of a hospital volunteer organization was accessing the hospital’s EHR to read about the healthcare services and conditions that her neighbors in the community were receiving. She then went home to share them with her husband. She admitted it was the only reason she had become a volunteer.
- A surgeon was waiting to perform an emergency operative procedure on a patient at night. He was upset that he had to wait for a period of time because the OR and on-call staff were busy with another emergency procedure. He decided to look at the medical record of the earlier patient to see if he thought the earlier patient was more urgent than his patient.
What About Employees Accessing Their Own Charts or Those of Family Members?
Healthcare providers who provide care to their own staff members also have to grapple with this issue. One of our clients was experiencing a rash of reports about workers accessing their own EHR content using their access as employees. In a survey of several healthcare organizations, we found about half of them had policies forbidding staff members from accessing their own records using their access credentials versus via a patient portal. Other organizations allowed this type of access.
Our recommendation was to require staff members to access their medical records using the patient portal, like every other patient. Although HIPAA regulations require HIPAA-covered entities to give all patients access to their protected health information, it does not require them to give them access via their employee login credentials. In some cases, there could be a good faith business reason for an employee to access the record of the employee or a family member. For instance, when an employee is the only person on duty for a particular function or service the employee needs.
Defending Against Employee EHR Snooping
HIPAA compliance in this area is a never-ending quest. The HIPAA Privacy Rules lay out in some detail all the requirements for covered entities to protect the confidentiality of protected health information. And any healthcare organization creating or maintaining electronic PHI needs to comply with the HIPAA Security Rules, including the Technical Safeguards, the Physical Safeguards, and the Administrative Safeguards. Let’s look at a few of the provisions that you should implement to help depress EHR snooping.
- Naturally, the top of the list would be policies and procedures. Most covered entities these days would be expected to have operating policies and procedures related to maintaining the privacy and security of the PHI they create, transmit, or maintain. This would be the first area covered in an OCR audit of your organization following a security breach – no matter what the breach was about.
- Keep in mind that the Privacy and Security Rules both require policies covering disciplinary procedures for staff member HIPAA violations. Policies typically describe levels of increasingly severe penalties for violating the organization’s HIPAA policies. Levels of discipline usually range from counseling or additional training to suspension to termination for serious cases such as exposing PHI for personal gain or altering a staff member’s own record with false information. Consequences should also include reporting to law enforcement when the unauthorized access may be related to other criminal offenses, like identity theft.
- All Privacy breaches require a risk assessment to determine if notification to the patient and the OCR is required. This activity can also pinpoint the issues for which disciplinary action may be indicated.
This is a somewhat curious area in many healthcare organizations. There is a certain element of “no harm, no foul” when it comes to managers or supervisors considering disciplinary action. Many managers do not want to impose discipline such as suspensions or terminations when the infraction does not seem too serious to them. An OCR audit of security breaches (which is what employee snooping is!) will always look at the consistency of disciplinary action imposed in the case they audit and in other snooping cases investigated by the organization.
- HIPAA training is another important element in addressing snooping. Workforce training should be tailored to the access each group of staff members requires for their duties. Periodic retraining is also required.
- A detailed confidentiality agreement is another way to remind staff members of their obligations to maintain the privacy of PHI. Confidentiality agreements should be updated and re-signed when there is a major change affecting the type or scope of information that must be kept confidential.
- Make sure your Privacy Officer can monitor access to the EHR system, and that all access controls and other technical safeguards are kept up to date.
As noted above, unauthorized access to PHI by staff members is an ongoing problem. Another curious aspect of snooping is the willingness of so many staff members to engage in it. It is hard to imagine staff members going to a Health Information Department and asking to see the paper medical records of fellow staff members, relatives, or neighbors for no business reason. Yet people are perfectly OK with looking at these records when they are in digital form. It seems like the ability to get information immediately online has affected the judgment of many staff members when it comes to other people’s medical records.
Robust systems to preserve the integrity of electronic health records plus vigilance plus training will go a long way to creating a culture of HIPAA compliance in your organization. Privacy Officers, managers, and executives at all levels: remember, the records you protect may include your own!