It’s a HIPAA violation that occurs every day but seldom makes the headlines. It has the potential to destroy an organization’s reputation, but it comes from within.
Medical record snooping by employees may seem like a victimless offense, but the costs and consequences of EHR snooping are real.
What the Law Says About EHR Snooping
HIPAA regulations are unambiguous when it comes to EHR snooping. The Privacy and Security Rules mandate that a patient’s protected health information (PHI) should only be disclosed as needed for essential purposes such as treatment and billing.
PHI disclosures should be limited to the minimum amount of information needed. Administrative safeguards must also be in place to restrict access to PHI to only those who need it.
Those who violate these rules may be subject to severe civil and criminal penalties, including additional governmental oversight, fines, and jail time.
Why People Do It
Despite what the law says, people are naturally curious. Even seasoned healthcare professionals are not immune to the desire of wanting to know things they shouldn’t.
Curiosity is natural if a neighbor, friend, family member, or even coworker is in practice for treatment. What’s happening? Is it serious? How will this affect me and those around me? All of these questions naturally spring to mind.
A survey from 2013 noted that employee snooping was the most common cause of security breaches. Lost or stolen devices and ransomware attacks may result in more significant numbers of records being breached, but employee snooping is responsible for more incidents.
The trend continues to this day. As recently as 2020, five employees at a hospital in Minneapolis, MN, were terminated for accessing the medical records of a “high-profile patient.”Â
What Can You Do to Prevent EHR Snooping?
No practice wants to be the cause of a data breach, especially one that results from the actions of its employees.Â
Here are a few things to help minimize the chances of employees illegally accessing patient files:
Set clear expectations for behavior. Address EHR snooping in your policies and procedures, so employees know it is not allowed. Decide on and define your disciplinary actions if someone violates the established policies or procedures.
Provide proper training for employees. When employees are onboarded, be sure they receive HIPAA training that fully covers your policies and procedures, including protecting patient PHI privacy and security. Repeat this training annually to reinforce and remind employees of the dangers of EHR snooping.
Set up access controls. Today’s EHR platforms can limit employees’ access to information based on their login credentials. Properly configured, a billing employee will only see the information necessary to do their job (insurance enrollment, diagnostic codes, etc.) while specifics about a patient’s condition (test results, clinician notes, etc.) would remain hidden.
Monitor and act. Employees can always find ways to circumvent the system even if you have the best EHR system adequately configured. One of the easiest ways to do it is by sharing account logins and passwords. Your system can warn you when logins are used in unusual locations, like a treatment nurse login on a billing office computer.Â
A major academic research hospital conducted a test with 444 employees who improperly accessed patient records. Approximately half of them received an email warning on the evening of the incident, while the others did not.
Only two percent of the group that received the warning email repeated the action, compared to 40 percent of the group that did not receive the warning.Â
Final Thoughts
If you’re concerned about EHR snooping or anything related to HIPAA compliance, Compliancy Group has a solution that can help. Our web-based automated HIPAA compliance software “The Guard” is paired with personalized help from a Compliance Coach who will walk with you through the process of achieving compliance.Â
