What the Law Says About EHR Snooping
HIPAA regulations are unambiguous when it comes to EHR snooping. The Privacy and Security Rules mandate that a patient’s protected health information (PHI) should only be disclosed as needed for essential purposes such as treatment and billing.
PHI disclosures should be limited to the minimum amount of information needed. Administrative safeguards must also be in place to restrict access to PHI to only those who need it.
Those who violate these rules may be subject to severe civil and criminal penalties, including additional governmental oversight, fines, and jail time.
Why People Do It
Despite what the law says, people are naturally curious. Even seasoned healthcare professionals are not immune to the desire of wanting to know things they shouldn’t.
Curiosity is natural if a neighbor, friend, family member, or even coworker is in practice for treatment. What’s happening? Is it serious? How will this affect me and those around me? All of these questions naturally spring to mind.
A survey from 2013 noted that employee snooping was the most common cause of security breaches. Lost or stolen devices and ransomware attacks may result in more significant numbers of records being breached, but employee snooping is responsible for more incidents.
The trend continues to this day. As recently as 2020, five employees at a hospital in Minneapolis, MN, were terminated for accessing the medical records of a “high-profile patient.”