Stolen mobile devices and hacking incidents may result in the biggest exposures of protected health information; however, the most commonly experienced cause of HIPAA security breaches is the unauthorized accessing of patient medical records by employees, according to a study conducted by Veriphyr Identity and Access Intelligence.
The study asked healthcare groups about the security breaches they had suffered. 70% of the survey respondents claimed to have suffered at least one security breach and 35% of those respondents said the breaches were due to the unauthorized accessing of health records by employees.
Snooping was the largest single factor leading to the exposure of patient health information according to the survey with 27% of respondents having suffered a breach when an employee accessed medical records of friends and family. 35% of cases involved employees accessing the medical records of their work colleagues.
The survey was conducted on medium to large-sized healthcare organizations; however there is no reason to think that small healthcare organizations do not suffer data breaches similar to this.
Unauthorized Employee PHI Access is a HIPAA Violation
The unauthorized accessing of a patient record may not be headline news and the incident does not need to be immediately reported to the HHS’ Office of Civil Rights. Only breaches involving the exposure of the PHI of 500 or more people must be reported within 60 days of the discovery of the breach. Small breaches, such as snooping, that involve the accessing of fewer than 500 records must be reported within 60 days of the end of the calendar year in which the breach occurred. Even though these breaches have a longer reporting time frame, that does not mean they are not serious HIPAA violations. OCR can, and does, investigate these breaches.
All patient records must be secured and the appropriate administrative, technical and physical safeguards must be put in place to prevent PHI from being accessed by unauthorized individuals. While it may not be possible to easily stop the unauthorized accessing of medical records by employees in all instances, a monitoring system must be implemented to ensure that logs are created to identify snooping. Those logs must be reviewed regularly to allow cases of snooping to be rapidly identified to minimize the harm caused.
Steps Healthcare Organizations Can Take to Prevent Unauthorized Employee Access
In order for organizations to be compliant with HIPAA, the ePHI of patients must be secured and protected against unauthorized access. That means appropriate physical, administrative and technical safeguards must be implemented to keep the data secure. Access controls must be put in place that limit who is able to access ePHI on healthcare systems. Access to patient records should, if possible, be limited to an individuals caseload. HIPAA requires a monitoring system be put in place that logs individuals, through their unique logins, who access medical records and what records they have viewed. Automatic alerts should be set up when unauthorized accessing or records occurs and logs should be regularly reviewed.
The starting point for assessing security risks in an organization is to complete a privacy and security audit. Only by thoroughly reviewing all IT systems, procedures and policies can potential security threats be identified and eliminated.
When a privacy and security audit is conducted, healthcare organizations must complete a four step process as outlined below:
- Complete a full risk analysis of all IT systems
- Audit and update risk management policies and procedures
- Formulate an employee sanction policy following HIPAA breaches and ensure it is communicated to all staff
- Ensure login credentials and data access are logged and access logs are checked often; any irregularities found must be examined promptly
If individual employees must have access to patient health records in order to carry out their duties, there is little that can be done to stop those people from accessing data should they so wish. It is therefore vital that staff members are aware of their obligations under HIPAA and are made aware of the consequences of accessing PHI without authorization.
It may not be possible to eliminate the risk of unauthorized employee PHI access; but the risk can be reduced to a reasonable and low level and any potential harm can be kept to a minimum.
Unauthorized Access to PHI: FAQ
What is the difference between a HIPAA violation and a HIPAA breach?
A HIPAA violation occurs when the stipulations of HIPAA have not been met. Examples of violations include a CE failing to adequately train its employees, or when an individual shares login details with a co-worker. A HIPAA breach occurs when PHI has been accessed by unauthorized individuals.
Unauthorized access to PHI, therefore, would be considered both a HIPAA violation and a HIPAA breach.
Is it a HIPAA breach of employees with a CE access PHI?
Yes, even if an employee works within a covered entity, if they access PHI that they do not need for a particular task, then it is considered to be a HIPAA breach. This includes deliberate “snooping”, accidental, and incidental HIPAA violations.
Who should unauthorized access of PHI be reported to?
All breaches should, first and foremost, be reported to the HIPAA Privacy Officer within the covered entity. They can then assess the severity of the situation. All breaches should then be reported to the Department for Health and Human Services’ Office for Civil Rights, though when this has to happen will depend on the severity of the breach. If over 500 records have been affected, then the breach must be reported within 60 days of its discovery. If the breach affected fewer records, then the breach must be reported within 60 days of the end of the calendar year during which the breach occurred.
How can unauthorized access be prevented through HIPAA training?
There are many ways in PHI can be safeguarded. First and foremost, all employees should be trained in HIPAA and be made aware of the major risks facing PHI. This can include training on how to identify phishing emails, or on the appropriate disclosure of PHI for medical care.
What is the minimum necessary requirement?
The minimum necessary requirement means that only the information required for the task at hand should be disclosed. Violation of the minimum necessary requirement is a common HIPAA violation.