Stolen mobile devices may result in the biggest exposures of Protected Health Information; however, the most commonly experienced cause of HIPAA security breaches is unauthorized access to patient medical records by employees, according to a study conducted by Veriphyr Identity and Access Intelligence.
The study asked healthcare groups about the security breaches their entities had suffered, with 70% of the survey respondents claiming to have suffered at least a single security breach. 35% of those respondents blamed the breaches on unauthorized access by employees.
Snooping was the largest single factor leading to the exposure of patient health information according to the survey with 27% of having suffered a breach when an employee accessed medical records of friends and family, while 35% happened when employees reviewed the medical records of their work colleagues.
The survey was completed on medium to large healthcare organizations; however there is no reason to think that small healthcare organizations do not suffer data breaches similar to this.
Unauthorized Employee Access is a HIPAA Violation
Unauthorized access of a sole patient record may not result in headline news and the matter is not immediately reportable to the Office of Civil Rights – only breaches including the exposure of medical histories of more than 500 people must be reported after discovery of the breach – although the incident is still classified as a HIPAA violation and could potentially lead to an investigation by the OCR.
All patient records must be secured and the appropriate administrative, technical and physical safeguards must be used to keep all PHI secure and away from snooping eyes. While it may not be possible to stop unauthorized accessing of medical records in all instances, a monitoring system should be in case to make sure that if data is accessed by an unauthorized person, quick action can be taken to minimize the any damage.
Steps Healthcare Organizations Can Take to Prevent Unauthorized Employee Access
Organizations compliant with Meaningful Use must be completely certain that the ePHI of patients is secured, with HIPAA also requiring adequate physical, administrative and technical safeguards to be adapted to protect electronic health data. The starting point for assessing security risks in an organization is to complete a Privacy and Security Audit. Only by thoroughly reviewing all IT systems, procedures and policies can potential security threats be identified and cut out.
When a Privacy and Security Audit is conducted, healthcare organizations must complete a four step process as outlined below:
- Complete a full risk analysis of all IT systems
- Audit and update risk management policies and procedures
- Formulate an employee sanction policy following HIPAA breaches and ensure it is sent to all staff
- Ensure login credentials and data access are logged and access logs are checked often; any irregularities found must be examined promptly
If individual employees must have acess to patient health records in order to carry out their duties, there is little that can be done to avoid those people from accessing data should they wish. It is therefore vital that the staff are aware of their obligations under Meaningful Use and HIPAA Privacy and Security Rules and told the consequences of accessing ePHI without authorization.
It may not be possible to eliminate the risk of unauthorized employee access; but the danger can be reduced and provided data privacy and security rules are followed it is possible to restrict any damage caused and avoid a potential HIPAA violation penalty.