Accessing the medical records of patients when there is no legitimate work reason for doing is a violation of the HIPAA Privacy Rule. It is important to make it clear to employees that snooping on medical records, out of curiosity or for other non-work reasons, is prohibited and to make it clear to employees what the potential consequences of such a violation will be.
It is also important, and a requirement of the administrative safeguards of the HIPAA Security Rule, to ensure that logs of medical record access are maintained and that they are regularly checked to identify rogue employees accessing patient records without authorization. There will always be isolated cases of employees snooping on medical records, but regular checks of access logs will ensure that those cases are identified quickly to allow action to be taken.
A breach recently reported by Aultman Health Foundation highlights the risks of not performing regular checks of access logs. The Ohio-based healthcare provider announced last month that it had terminated an employee after discovering unauthorized medical record access. The former employee was provided with access to electronic health records (EHRs) for care coordination purposes, but those access rights were abused.
The employee had received training on HIPAA so was aware that it was not permitted to view medical records for purposes outside the scope of their job role. When the snooping was identified, the employee was suspended pending the outcome of the investigation. A review of access logs showed the individual had been accessing patient records without authorization for more than a decade. The first case of unauthorized medical record access occurred in 2009 and it continued until the privacy violations were discovered in 2021. During that time, the employee had impermissibly accessed the medical records of 7,300 patients.
In this case, patient health information was not being accessed for malicious purposes. The employee appeared to be viewing patient records out of curiosity. Aultman Health Foundation found no evidence of misuse of patient information and there were no indications that any of the accessed data had been disclosed to any other individuals. The employee is not facing any criminal charges over the violation but was promptly terminated.
Aultman Health Foundation said it will be providing further training to the workforce about patient privacy and will implement additional measures to better protect patient information. Patients affected by the breach have been notified and offered credit monitoring and identity theft protection services as a precaution.
Had the snooping been detected sooner, the privacy of thousands of patients would not have been violated and the cost of the breach would have been far lower. As it stands, the failure to discover the breach in 12 years carriers a very real risk of a financial penalty for noncompliance.