The theft of mobile devices could result in a major exposure of Protected Health Information (PHI); but, according to a study by Veriphyr Identity and Access Intelligence, small scale snooping by employees is actually the most common cause of HIPAA security breaches.
The researchers questioned healthcare providers regarding the types of security breaches they had experienced. 70% of respondents claimed their organization had experienced at least one security breach. 35% said data breaches involved unauthorized accessing of PHI by employees.
The survey results revealed that snooping was the biggest single cause of PHI being compromised. 27% of respondents said a breach occurred because an employee accessed the healthcare records of family and friends, but 35% of incidents were due to employees looked at the healthcare records of their fellow workers.
Medium to large healthcare companies participated in the survey; but it doesn’t mean that small healthcare companies do not experience similar types of data breaches.
Employees who engage in snooping violate HIPAA. Accessing one patient record without authorization may not result in major news coverage but one snooping incident is still considered a HIPAA violation and could result in an OCR investigation.
The healthcare records of all patients should be protected and there must appropriate administrative, physical and technical safeguards to secure all PHI. Although it’s impossible to stop all cases of unauthorized accessing of healthcare records, if there is a monitoring system in place that checks if an unauthorized person accessed data, prompt mitigation action can be taken to prevent or limit harm.
How Can Healthcare Organizations Prevent Snooping
For organizations to be compliant with Meaningful Use, they must be sure to secure the ePHI of patients. To be compliant with HIPAA, it is also required to have adequate physical, technical and administrative safety measures in place to secure electronic health data. Only by completely evaluating all IT systems, processes and policies is it possible to identify potential security threats and eliminate them.
When conducting a privacy and security audit, there are four step that must be completed by healthcare organizations:
- Perform a complete risk analysis of all IT systems
- Evaluate and revise risk management policies and procedures as needed
- Create an employee sanction policy immediately and be sure to convey it to all employees
- Make sure all logins and data access attempts are recorded and check access logs regularly and investigate any irregularities promptly
If employees need to access patient medical records for work reasons, they could access data for non-work reasons if they so wish. It is therefore important to remind employees of their responsibilities under HIPAA. Employees should also know the consequences of viewing ePHI without authorization.
It probably isn’t possible to eliminate the risk of employee snooping; however, risk can be minimized and reduced to a reasonable and acceptable level.