EHR Snooping

It’s a HIPAA violation that occurs every day but seldom makes the headlines. It has the potential to destroy an organization’s reputation, but it comes from within.

Medical record snooping by employees may seem like a victimless offense, but the costs and consequences of EHR snooping are real.

What the Law Says About EHR Snooping

HIPAA regulations are unambiguous when it comes to EHR snooping. The Privacy and Security Rules mandate that a patient’s protected health information (PHI) should only be disclosed as needed for essential purposes such as treatment and billing.

PHI disclosures should be limited to the minimum amount of information needed. Administrative safeguards must also be in place to restrict access to PHI to only those who need it.

Those who violate these rules may be subject to severe civil and criminal penalties, including additional governmental oversight, fines, and jail time.

Why People Do It

Despite what the law says, people are naturally curious. Even seasoned healthcare professionals are not immune to the desire of wanting to know things they shouldn’t.

Curiosity is natural if a neighbor, friend, family member, or even coworker is in practice for treatment. What’s happening? Is it serious? How will this affect me and those around me? All of these questions naturally spring to mind.

A survey from 2013 noted that employee snooping was the most common cause of security breaches. Lost or stolen devices and ransomware attacks may result in more significant numbers of records being breached, but employee snooping is responsible for more incidents.

The trend continues to this day. As recently as 2020, five employees at a hospital in Minneapolis, MN, were terminated for accessing the medical records of a “high-profile patient.” 

Let’s Simplify Compliance

Prevent employee breaches. Become HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

What Can You Do to Prevent EHR Snooping?

No practice wants to be the cause of a data breach, especially one that results from the actions of its employees. 

Here are a few things to help minimize the chances of it happening:

Set clear expectations for behavior. Address EHR snooping in your policies and procedures, so employees know it is not allowed. Decide on and define your disciplinary actions if someone violates the established policies or procedures.

Provide proper training for employees. When employees are onboarded, be sure they receive HIPAA training that fully covers your policies and procedures, including protecting patient PHI privacy and security. Repeat this training annually to reinforce and remind employees of the dangers of EHR snooping.

Set up access controls. Today’s EHR platforms can limit employees’ access to information based on their login credentials. Properly configured, a billing employee will only see the information necessary to do their job (insurance enrollment, diagnostic codes, etc.) while specifics about a patient’s condition (test results, clinician notes, etc.) would remain hidden.

Monitor and act. Employees can always find ways to circumvent the system even if you have the best EHR system adequately configured. One of the easiest ways to do it is by sharing account logins and passwords. Your system can warn you when logins are used in unusual locations, like a treatment nurse login on a billing office computer.