Episode 29: Know The Rules! Medical Records Snooping

This may come as a surprise to many of you …

Medical record snooping goes on everyday and in all healthcare organizations, from the single provider office to the large hospital environments.

What is Medical Records Snooping?

Medical records snooping is the inappropriate access of patient records by any workforce member, including doctors, regardless of whether the information acquired was used or disclosed for any reason.

For example, if a healthcare workforce member sees their neighbor has come to the clinic and accesses the neighbor’s record to see why they are visiting the clinic, this is considered snooping!!

And yes, this applies to either paper or electronic medical records.

What are the consequences of snooping?

Absent very unusual circumstances, the penalty for snooping is termination.

This zero-tolerance applies to:

  • → Records of your spouse or domestic partner
  • → Records of your siblings
  • → Records of your children or grandchildren
  • → Records of co-workers
  • → Records of friends and neighbors
  • → Records of persons of media interest

Performing medical record audits

The HIPAA Security Rule 45 CFR §164.312(b) requires Covered Entities (CEs) and Business Associates (BAs) to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (PHI),” while 45 CFR §164.308(a)(1)(ii)(D) requires CEs and BAs to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Over the years several healthcare organizations have received HIPAA violations because of inappropriate actions made by their workforce.

Examples of HIPAA Violations Caused by Workforce Snooping

  1. Doctor accessed medical records without authorization AND gave some of that PHI to an ATTORNEY!!
  2. Palomar Medical Center Escondido had to notify more than 1,300 patients after a former nurse viewed their medical records without authorization for more than 15 months.
  3. A former SSM Health – St. Louis, MO-based not-for-profit health system, employee accessed patients PHI without a legitimate work reason for 8 months.


Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to their risks?

Internet of Medical Things
For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.




One thought on “Episode 29: Know The Rules! Medical Records Snooping

  1. […] do you know if, or who, is snooping in your medical records? . . Audit Logs! . […]