Unauthorized access to patient medical records occurs when an individual who lacks authorization, permission, or other legal authority, accesses data, including protected health information (PHI), contained in patient medical records. There are a number of sources for unauthorized access to patient medical records.
Are you adequately protecting patient data? Find out now with our HIPAA compliance checklist.
How Does Unauthorized Access to Patient Medical Records Occur?
Unauthorized access to patient medical records can occur through a variety of means, compromising HIPAA compliance. These include:
- Mishandling of protected health information (PHI). Mishandling of PHI by a covered entity can result in unauthorized access. The HIPAA Privacy Rule requires that measures be taken to safeguard PHI from improper use or disclosure. Mishandling of PHI may occur as a result of a mistake. For example, if a covered entity inadvertently mails PHI to an incorrect recipient instead of the patient, the incorrect recipient can access that PHI without having authorization to do so.
- Lost or stolen devices. Medical staff may misplace or lose devices containing electronic protected health information (ePHI, or protected health information stored in electronic form). If such devices are not rendered secure, an unauthorized individual who commits theft may be able to access the ePHI.
- Covered entity “peeking”. Workers of a covered employee may covertly access PHI, secretly obtaining information to which they are entitled to access. Workers of a covered employee may only access PHI as necessary to perform their job duties, and consistently with law.
- Ransomware and Malware. Ransomware and malware are two types of cyberattacks that can infect covered entity networks by copying patient medical records to remote servers controlled by the cyberattackers. Learn more about ransomware in healthcare to find out how you can protect yourself from cyberattackers.
- Improper disposal procedures. PHI or ePHI may be improperly or inadequately disposed of (i.e., PHI may be shredded inadequately, or ePHI may not have been rendered de-identified). PHI or epHI that has not been properly disposed of, may be viewed by individuals who have no legitimate reason to access it.