Uncategorized

The Consequences of Medical Record Snooping

The Consequences of Medical Record Snooping Today, I am discussing the consequences of unauthorized access or disclosure of protected health information or medical record snooping. Snooping applies to either paper or electronic records. These days most medical record snooping is carried out using the organization’s electronic health record (EHR) system. In March 2022, Fierce Healthcare analyzed data from healthcare breaches reported on the Department of Health and Human Services’ Office for Civil Rights (HHS) — OCR portal* reported an increase by 267% accounting for more than 20% of all 2021 breaches reported. *Note: As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. What is an Insider Threat? It is when a workforce member, including doctors, inappropriate access patient records regardless of whether the information acquired was used or disclosed for any reason. For example, if a workforce member sees their neighbor has come to the clinic and accesses the neighbor’s medical record to see why they are visiting the clinic, this is considered snooping! The US CERT defines a malicious insider threat as a current or former employee, contractor, or business partner who meets the following criteria Has or had authorized access to an organization’s network, system, or data Has intentionally exceeded or intentionally used that access in a manner that negatively, affected the confidentiality, integrity, or availability of the organization’s information, or information systems. Types of Insider Threats There are several types of insider threats within an organization, all with different goals. Some insider threats are as follows: Careless or negligent workers Malicious insiders Inside agents Disgruntled employees Third parties Source: Insider Threats in Healthcare – HHS Cybersecurity Program Careless and/or Negligent Workers While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common. According to Ponemon’s 2020 Insider Threats Report, 61% of data breaches involving an insider are primarily unintentional, caused by negligent insiders. Insider threat have become one of the largest threats to organizations and some cyberattacks may be insider-driven. Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to the regulated entities and have a negative impact on the confidentiality, integrity, and availability of its electronic PHI. What are the Consequences of Medical Record Snooping? Absent very unusual circumstances, the penalty for snooping is termination. This zero-tolerance applies to: Records of your spouse or domestic partner Records of your siblings Records of your children or grandchildren Records of co-workers Records of friends and neighbors Records of persons of media interest Over the years several healthcare organizations have received HIPAA violations because of inappropriate actions made by their workforce. More on this below but before I go into what can happen when your workforce snoops, it is important for you to know what the HIPAA Security Rule says. What does the HIPAA Security Rule Say? The HIPAA Security Rule, 45 CFR §164.312(b), requires Covered Entities (CEs) and Business Associates (BAs), collectively referred to by HHS as regulated entities to: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI” see 45 CFR §164.312(b). And don’t forget regulated entities are also required to: “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports” see 45 CFR §164.308(a)(1)(ii)(D). What Can Happen After You’re Caught Snooping? In 2021, hospitals and health systems reported patient record breaches by employees inappropriately accessing patients’ protected health information (PHI). Below are two of those cases: Our first case involves former surgery resident at Rochester, Minn.-based Mayo Clinic, was charged in Olmsted County (Minn.) District Court with one count gross misdemeanor of unauthorized computer access after one of the 1,614 patients. Our second case involves an emergency technician at Huntington (N.Y.) Hospital, part of Northwell Health, plead guilty to one count of criminal HIPAA violations in connection with his work at three New York-area hospitals between approximately June 2012 and August 2019. Some legal experts say these cases are a reminder of the various insider threats facing healthcare entities. But these two cases involving the intentional unauthorized access, disclosure, and use of PHI by insiders is only the tip of the iceberg. Something to Ponder … As a healthcare regulated entity you are required to: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI And don’t forget regulated entities are also required to: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Evaluation

Do I need my HIPAA Security Plan Evaluated? It is important for Covered Entities (CEs) and Business Associates (BAs) to know if their security plans and procedures continue to adequately protect their electronic protected health information (ePHI). To accomplish this, CEs and BAs must implement and monitor your Evaluation Plan. CEs and BAs must periodically evaluate their strategy and systems to ensure that the security requirements continue to meet their organizations’ operating environments. The Evaluation standard, § 164.308(a)(8), has no separate implementation specification. The standard requires CEs and BAs to: “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].” The purpose of the evaluation is to establish a process for CEs and BAs to review and maintain reasonable and appropriate security measures to comply with the Security Rule. Initially the evaluation must be based on the security standards implemented to comply with the Security Rule. Subsequent periodic evaluations must be performed in response to environmental or operational changes that affect the security of your ePHI. On-going evaluations should also be performed on a scheduled basis, such as annually or every two years. The evaluations must include reviews of the technical and non-technical aspects of your security program. Sample questions for CEs and BAs to consider: How often should an evaluation be done? For example, are additional evaluations performed if security incidents are identified, changes are made in the organization, or new technology is implemented? Is an internal or external evaluation, or a combination of both, most appropriate for the CE or BA? Are periodic evaluation reports and the supporting materials considered in the analysis, recommendations, and subsequent changes fully documented? On-going evaluations of security measures is the best way to ensure all ePHI is adequately protected. Note: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?     For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.