Yolanda Sims, JD, MHA
Loss Prevention and Risk Management Advisor
Employee Snooping Highlighted in HHS Investigation
On June 15, 2023, The U.S. Department of Health and Human Services announced a settlement with a community hospital in Washington state to resolve allegations of violations of HIPAA’s privacy and security rules. This case illustrates the consequences of snooping and the importance of limiting access to employees who should only have access for job-related purposes.
The Office of Civil Rights (OCR) opened the investigation in May 2018 after a breach notification report indicated that 23 security guards in the emergency department used their login credentials to impermissibly access patient medical records stored on the electronic medical record system. The guards allegedly accessed records for 419 people, including their names, dates of birth, addresses, treatment notes, and insurance information. The investigation findings indicated that the security guards did not need to access electronic private health information to perform their jobs.
The hospital agreed to pay $240,000 and abide by a two-year corrective action plan. The plan requires the hospital to submit the following for HHS’s review and approval: (1) conduct an enterprise-wide analysis of security risks and vulnerabilities; (2) develop an enterprise-wide risk management plan to identify and mitigate security risks; (3) develop, maintain and revise written HIPAA policies and procedures and distribute to workforce members with access to PHI; (4) augment existing privacy and security training programs; (5) review each of its business associates relationships and report any material failures to HHS.
Snooping: What is it? Why is it Concerning?
In the healthcare setting, snooping is when employees view patient medical records without proper authorization because they are curious to discover details about a patient and their treatment plan. Some common examples of snooping scenarios in the healthcare setting include family members snooping on other family members, nosy neighbors, and curious co-workers. Although most HIPAA settlements that gain public attention involve large-scale data breaches, numerous studies suggest that employee snooping is the largest single cause of exposure of patient health information. OCR revealed in its most recent annual report to Congress that complaints alleging HIPAA or HITECH Act violations in 2021 have increased by 25%.
The bottom line is snooping amounts to a privacy breach under HIPAA, but such violations can be harder to detect and prevent. HIPAA provides three exceptions to the definition of breach. One exception applies when an employee of a covered entity accesses or uses protected health information unintentionally but in good faith and within the scope of authority. However, OCR has provided that this exception does not apply to snooping employees because snooping is neither unintentional nor done in good faith.
Mitigate the Harm
Prying eyes, loose lips, and other curious acts could result in a privacy breach and lead to serious consequences. If snooping is a concern in your organization, here are a few tips that may discourage snooping as you begin to review and enhance internal privacy practices:
#1 Limit Access to PHI
Limit access to ensure workforce members can only access the patient information needed for their job-related duties. Evaluate the roles of all workforce members to determine which individuals should have access to PHI and which should not.
#2 Periodically Review Relevant Policies
Review and update your HIPAA privacy and security policies to ensure compliance. A thorough review will also help determine whether you currently have an effective way of detecting inappropriate access to patient records.
#3 Conduct Workforce Training
On an annual basis, train and educate your staff on the harmful effects of snooping. Provide concrete examples of privacy breaches to create a culture of privacy and encourage the workforce to be privacy champions in the workplace.
#4 Communicate the Consequences of Snooping
Employees who violate patient privacy rules should be forewarned that it could result in disciplinary action, including termination.
The “tone at the top” is an important posture to focus on when evaluating your organization’s commitment to patient privacy and adherence to rules set by HHS. Collaborate with your privacy officer and technology expert to build a training, oversight, and privacy culture that ensures patient medical information remains confidential and safeguarded. The fallout from a privacy breach goes beyond fines and penalties. A privacy breach impacts patient care because it breaks confidentiality, weakens public trust, and sometimes results in irreversible reputational harm to the organization.
KAMMCO members can access a data and privacy toolkit under the Beazley Breach Solutions tab for more information and related resources on privacy and security rules. Please navigate to our website’s Cyber Risk Management Resource page and log in today.
References
Department of Health and Human Services Press Release. June 15, 2023. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/yakima/index.html
HHS Investigation of Snooping Security Guards Results in $240,000 Settlement. Thomson Reuters Newsletter. EBIA. July 5, 2023. https://tax.thomsonreuters.com/news/hhs-investigation-of-snooping-security-guards-results-in-240000-settlement.
Grady, Jena. More than decade long snooping of patient records brought to light. Nixon Peabody Newsletter. July 20, 2021 https://www.nixonpeabody.com/insights/articles/2021/07/20/more-than-decade-long-snooping-of-patient-records-finally-brought-to-light
Counsell, Lisa. Catch and prevent healthcare Snooping. Security Infowatch.Com Newsletter. March 2021 https://www.securityinfowatch.com/healthcare/article/21210284/catch-and-prevent-healthcare-snooping
Avoid OCR Investigations: Stop Snooping in its Tracks. Gardner Skelton Attorneys at Law Newsletter, July 2023. https://www.gardnerskelton.com/news/avoid-ocr-investigations-stop-snooping-in-its-tracks/#:~:text=Small%2Dscale%20unauthorized%20access%20of,1.