This may come as a surprise to many of you …
Medical record snooping goes on everyday and in all healthcare organizations, from the single provider office to the large hospital environments.
What is Medical Records Snooping?
Medical records snooping is the inappropriate access of patient records by any workforce member, including doctors, regardless of whether the information acquired was used or disclosed for any reason.
For example, if a healthcare workforce member sees their neighbor has come to the clinic and accesses the neighbor’s record to see why they are visiting the clinic, this is considered snooping!!
And yes, this applies to either paper or electronic medical records.
What are the consequences of snooping?
Absent very unusual circumstances, the penalty for snooping is termination.
This zero-tolerance applies to:
- → Records of your spouse or domestic partner
- → Records of your siblings
- → Records of your children or grandchildren
- → Records of co-workers
- → Records of friends and neighbors
- → Records of persons of media interest
Performing medical record audits
The HIPAA Security Rule 45 CFR §164.312(b) requires Covered Entities (CEs) and Business Associates (BAs) to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (PHI),” while 45 CFR §164.308(a)(1)(ii)(D) requires CEs and BAs to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
Over the years several healthcare organizations have received HIPAA violations because of inappropriate actions made by their workforce.
- Doctor accessed medical records without authorization AND gave some of that PHI to an ATTORNEY!!
- Palomar Medical Center Escondido had to notify more than 1,300 patients after a former nurse viewed their medical records without authorization for more than 15 months.
- A former SSM Health – St. Louis, MO-based not-for-profit health system, employee accessed patients PHI without a legitimate work reason for 8 months.
Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to their risks?