How employee snooping results in HIPAA trouble

One of today’s biggest data challenges involves preventing the improper access of protected patient information. When your own employees sneak a peek at patient records without authorization—either out of curiosity or malicious intent—your organization can pay the price.

Mary Chaput, CFO and compliance officer at consultancy Clearwater Compliance LLC in Nashville, Tenn., says the number of cases of employee snooping is probably much larger than the cases reported to federal officials.

“Besides celebrity cases, we call the bulk of them the ‘ex factor,’ for ex-spouse, ex-friend or ex-colleague,” she says. “The organization may apply sanctions, and there may be some remuneration. But the reputational damage could be huge.”
 

Indiana case a game changer

Until recently, violations of HIPAA (Health Insurance Portability and Accountability Act) were investigated and sanctioned solely by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state regulators. But a recent Indiana case has added a new twist: A court of appeals upheld a $1.4 million verdict for a Walgreens pharmacy customer whose prescription information was provided to a third party by a snooping pharmacist.

However, the law does not allow individuals to claim HIPAA violations directly in a privacy lawsuit. Only the government can cite HIPAA violations. Neal Eggeson, the lawyer who successfully argued the case in Indiana, used HIPAA to establish the standard of care. So Walgreens was not sued for violating HIPAA but for negligence. Similarly, the pharmacist was not sued for violating HIPAA but for professional malpractice.

The healthcare industry could see more individuals filing negligence or malpractice lawsuits based on snooping cases in the future, especially if the organization has done little to train employees or investigate allegations.
 

What to do

As of 2012, a practice can be fined $1.5 million per HIPAA violation in cases of willful neglect, in addition to individual lawsuits. So what can behavioral healthcare providers do to limit the risk?
 

1/ Training

“Employee training on this topic needs to be provided initially and then annually at a minimum,” says Angela Dinh Rose, director of HIM practice excellence for the American Health Information Management Association (AHIMA). “Constantly audit your system and check for whether improper access is occurring.”

She says organizations should pay attention to patient complaints. Auditing can help identify possible trends in inappropriate access.
 

2/ Communicate the no-peeking policy to every employee

Every provider organization must communicate its policy to employees and apply appropriate sanctions consistently, Chaput says.

“The reason I say consistently is that some organizations tend to treat executives and top medical staff a little differently,” she says. “Employees have to know what the consequences will be. With snooping, we recommend if they are caught once, they lose their jobs. People have to know why it happened. Sanctions must be rigorous and consistently applied.”
 

3/ Limit access to data

In addition, make sure that employees have only the minimum access necessary to do their jobs, Chaput says. For instance, a receptionist does not need information about medical conditions, so block that employee’s access to it.
 

4/ Monitor VIP patient records

AHIMA’s Dinh Rose says VIP patient records could be specially flagged and their access monitored all day long.

“A popup box could tell employees they are entering a confidential record and all accesses are being audited,” she says. “That gives them one more chance to get out of the file.”
 

5/ Discourage log-in piggybacking

According to Chaput, it is also important to monitor for any inappropriate sharing of user IDs and passwords. For example, some clinicians don’t like logging in and out of an EHR system repeatedly and push the IT staff to make the automatic logoff as long as 30 minutes. But that could leave data available for snooping, she says.
 

6/ Focus on people issues

Much of the media attention about data breaches focuses on hackers breaking into networks, but Chaput points out that 93 percent of breach incidents published on the HHS “Wall of Shame” involve people making mistakes such as leaving an unencrypted laptop in a car or employees snooping.

“Always focus on the people issues,” she says. “Make sure there is a documented policy.”

If there is an incident, tighten up the policy and reinforce it. Completing your due diligence upfront and responding quickly to any incident should help in any type of lawsuit situation.
 

Great examples of costly violations:

In the largest snooping fine to date, the UCLA Health System agreed to pay $865,000 in 2011 to settle potential HIPAA violations involving employees improperly accessing celebrities’ electronic medical records.

In 2009 California regulators used a newly passed law to fine Kaiser Permanente's Bellflower hospital $250,000 for failing to keep employees from snooping in the medical records of Nadya Suleman, the mother who gave birth to octuplets.


More online:

Search the HHS list of breaches that involved 500 or more individuals’ records.

Read the Indy Star news coverage of the final ruling here.

Read the blog with comments from Eggeson here.