Stolen mobile devices and hacking incidents may result in the biggest exposures of protected health information; however, the most commonly experienced cause of HIPAA security breaches is the unauthorized accessing of patient medical records by employees, according to a study conducted by Veriphyr Identity and Access Intelligence.
The study asked healthcare groups about the security breaches they had suffered. 70% of the survey respondents claimed to have suffered at least one security breach and 35% of those respondents said the breaches were due to the unauthorized accessing of health records by employees.
Snooping was the largest single factor leading to the exposure of patient health information according to the survey with 27% of respondents having suffered a breach when an employee accessed medical records of friends and family. 35% of cases involved employees accessing the medical records of their work colleagues.
The survey was conducted on medium to large-sized healthcare organizations; however there is no reason to think that small healthcare organizations do not suffer data breaches similar to this.
Unauthorized Employee PHI Access is a HIPAA Violation
The unauthorized accessing of a patient record may not be headline news and the incident does not need to be immediately reported to the HHS’ Office of Civil Rights. Only breaches involving the exposure of the PHI of 500 or more people must be reported within 60 days of the discovery of the breach. Small breaches, such as snooping, that involve the accessing of fewer than 500 records must be reported within 60 days of the end of the calendar year in which the breach occurred. Even though these breaches have a longer reporting time frame, that does not mean they are not serious HIPAA violations. OCR can, and does, investigate these breaches.
All patient records must be secured and the appropriate administrative, technical and physical safeguards must be put in place to prevent PHI from being accessed by unauthorized individuals. While it may not be possible to easily stop the unauthorized accessing of medical records by employees in all instances, a monitoring system must be implemented to ensure that logs are created to identify snooping. Those logs must be reviewed regularly to allow cases of snooping to be rapidly identified to minimize the harm caused.
Steps Healthcare Organizations Can Take to Prevent Unauthorized Employee Access
In order for organizations to be compliant with HIPAA, the ePHI of patients must be secured and protected against unauthorized access. That means appropriate physical, administrative and technical safeguards must be implemented to keep the data secure. Access controls must be put in place that limit who is able to access ePHI on healthcare systems. Access to patient records should, if possible, be limited to an individuals caseload. HIPAA requires a monitoring system be put in place that logs individuals, through their unique logins, who access medical records and what records they have viewed. Automatic alerts should be set up when unauthorized accessing or records occurs and logs should be regularly reviewed.
The starting point for assessing security risks in an organization is to complete a privacy and security audit. Only by thoroughly reviewing all IT systems, procedures and policies can potential security threats be identified and eliminated.
When a privacy and security audit is conducted, healthcare organizations must complete a four step process as outlined below:
- Complete a full risk analysis of all IT systems
- Audit and update risk management policies and procedures
- Formulate an employee sanction policy following HIPAA breaches and ensure it is communicated to all staff
- Ensure login credentials and data access are logged and access logs are checked often; any irregularities found must be examined promptly
If individual employees must have access to patient health records in order to carry out their duties, there is little that can be done to stop those people from accessing data should they so wish. It is therefore vital that staff members are aware of their obligations under HIPAA and are made aware of the consequences of accessing PHI without authorization.
It may not be possible to eliminate the risk of unauthorized employee PHI access; but the risk can be reduced to a reasonable and low level and any potential harm can be kept to a minimum.