Loss or theft of mobile devices can lead to the breaches of the largest volume of protected health information (PHI), but HIPAA security breaches are most often caused by unauthorized access to patients’ medical records by nosy employees.
Veriphyr Identity and Access Intelligence carried out a survey and found that of the seven-out-of-ten entities that admitted to having at least one security breach, half of these were due to employees gaining unauthorized access to records.
The survey ranked curiosity as the main cause of unauthorized access, with 27% of breaches linked to staff accessing the medical records of a friend or family member and 35% due to staff checking on the records of their co-workers.
The targets of the survey were medium to large healthcare organizations, but it is likely that smaller groups experience a similar problem.
Nosy Employees are Violating HIPAA
While the Office of Civil Rights (OCR) does not need to be notified of breaches of a single patient’s records – only breaches containing the PHI of 500 or more people must be reported – it remains a breach of PHI and a HIPAA violation ad could lead to a full investigation by the OCR.
PHI must be stored in accordance with administrative, technical, and physical protections. While unauthorized access may still occur, data access logs can record breaches and allow swift measures to reduce any damage.
How Healthcare Organizations Can Help Prevent Unauthorized Access
As noted above, HIPAA compliance requires meeting administrative, technical, and physical protection standards for PHI. Meaningful Use also compels organizations to ensure the security of electronic PHI (ePHI). Privacy and Security audits should be carried out to evaluate what risks an organization may face. A full examination of IT systems, procedures, and policies can help identify and manage these risks.
For Privacy and Security audits to reach meaningful conclusions, a four step process should be followed:
- Analyze all IT systems
- Examine and overhaul approaches to risk management
- Develop sanctions to penalize HIPAA violations and ensure all staff are aware of them
- Verify that user session data and access data is being logged and that the logs are being monitored. Strange behavior should be looked into
Employees that require access to PHI for professional use cannot be kept from seeing medical records. They must be made aware of their duties and the relevant safeguards included in Meaningful Use and the HIPAA Privacy and Security Rules. They should also be advised of the possible negative outcomes that can be caused by unauthorized access to PHI.
Nosy employees may not always be able to be curtailed, but unauthorized access to PHI can be reduced. Compliance with the Privacy and Security Rules can potentially reduce the fallout associated with HIPAA violations.