The Consequences of Medical Record Snooping
Today, I am discussing the consequences of unauthorized access or disclosure of protected health information or medical record snooping. Snooping applies to either paper or electronic records. These days most medical record snooping is carried out using the organization’s electronic health record (EHR) system.
In March 2022, Fierce Healthcare analyzed data from healthcare breaches reported on the Department of Health and Human Services’ Office for Civil Rights (HHS) — OCR portal* reported an increase by 267% accounting for more than 20% of all 2021 breaches reported.
*Note: As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
What is an Insider Threat?
It is when a workforce member, including doctors, inappropriate access patient records regardless of whether the information acquired was used or disclosed for any reason. For example, if a workforce member sees their neighbor has come to the clinic and accesses the neighbor’s medical record to see why they are visiting the clinic, this is considered snooping!
The US CERT defines a malicious insider threat as a current or former employee, contractor, or business partner who meets the following criteria
- Has or had authorized access to an organization’s network, system, or data
- Has intentionally exceeded or intentionally used that access in a manner that negatively, affected the confidentiality, integrity, or availability of the organization’s information, or information systems.
Types of Insider Threats
There are several types of insider threats within an organization, all with different goals. Some insider threats are as follows:
- Careless or negligent workers
- Malicious insiders
- Inside agents
- Disgruntled employees
- Third parties
Careless and/or Negligent Workers
While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common. According to Ponemon’s 2020 Insider Threats Report, 61% of data breaches involving an insider are primarily unintentional, caused by negligent insiders.
Insider threat have become one of the largest threats to organizations and some cyberattacks may be insider-driven. Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to the regulated entities and have a negative impact on the confidentiality, integrity, and availability of its electronic PHI.
What are the Consequences of Medical Record Snooping?
Absent very unusual circumstances, the penalty for snooping is termination. This zero-tolerance applies to:
- Records of your spouse or domestic partner
- Records of your siblings
- Records of your children or grandchildren
- Records of co-workers
- Records of friends and neighbors
- Records of persons of media interest
Over the years several healthcare organizations have received HIPAA violations because of inappropriate actions made by their workforce. More on this below but before I go into what can happen when your workforce snoops, it is important for you to know what the HIPAA Security Rule says.
What does the HIPAA Security Rule Say?
The HIPAA Security Rule, 45 CFR §164.312(b), requires Covered Entities (CEs) and Business Associates (BAs), collectively referred to by HHS as regulated entities to:
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI” see 45 CFR §164.312(b).
And don’t forget regulated entities are also required to:
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports” see 45 CFR §164.308(a)(1)(ii)(D).
What Can Happen After You're Caught Snooping?
In 2021, hospitals and health systems reported patient record breaches by employees inappropriately accessing patients’ protected health information (PHI).
Below are two of those cases:
- Our first case involves former surgery resident at Rochester, Minn.-based Mayo Clinic, was charged in Olmsted County (Minn.) District Court with one count gross misdemeanor of unauthorized computer access after one of the 1,614 patients.
- Our second case involves an emergency technician at Huntington (N.Y.) Hospital, part of Northwell Health, plead guilty to one count of criminal HIPAA violations in connection with his work at three New York-area hospitals between approximately June 2012 and August 2019.
Some legal experts say these cases are a reminder of the various insider threats facing healthcare entities. But these two cases involving the intentional unauthorized access, disclosure, and use of PHI by insiders is only the tip of the iceberg.
Something to Ponder ...
As a healthcare regulated entity you are required to:
- Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI
And don’t forget regulated entities are also required to:
- Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.