Record Snooping: More common than you think

Editor's Notes

• #3: Manage & Mitigate Risks
• #4: Record snooping is an intrusive act that has been done by healthcare workers for a long time. However, with the HIPAA Privacy rules, there are now serious repercussions for the healthcare worker and the office they work for. The results of record snooping include the employee losing their job, public humiliation for the office involved, heavy monetary fines, and potential legal action. This intrusive act is a big problem for the employee involved and their employer.
• #6: Record snooping is unauthorized access to a patients information. This type of privacy invasion happens when an employee accesses a patient’s health information without cause, but rather for their own personal or somebody else’s desire to have knowledge of that patients personal health information (PHI). We are all human, and as such, are naturally curious. Protecting the privacy of patient records is top priority as a health care provider, and that means both internally and externally.
• #7: Violates patients privacy Is a HIPAA violation Causes public embarrassment for your practice Lowers public perceived confidence in your practice Can lead to large fines for your practice
• #9: UCLA Health System has agreed to pay $865,500 as part of a settlement with federal regulators announced. Two celebrity patients alleged that hospital employees broke the law and reviewed their medical records without authorization.
• #10: Carilion Clinic, in Roanoke Virginia, had to fire or discipline 14 employees for patient record snooping, which is common in many organizations. Fourteen employees were found to have accessed patient records without a legitimate patient-care need.
• #11: Allina Hospitals and Clinics, a Minnesota health delivery system, the organization fired 32 employees for inappropriately looking at the electronic health records of patients involved in a mass drug overdose case.
• #12: A student healthcare worker, Kathryn, was fired from the University of Iowa Health Center for violating the privacy of a pregnant female student, and her well-known student athlete boyfriend. For over 14 years, Kathryn had received HIPAA privacy training, but that didn’t stop her from revealing out loud to at least one nearby coworker that she hoped the young couple was happy with the positive results of the pregnancy test. Kathryn even went so far as to point out the student athlete to the clerk after she noticed him in the waiting room. She also inappropriately accessed the patient’s chart at least twice opening the records from past visits and medication records. The clerk then went and spoke with two medical assistants who treated the female student and asked about the couple’s reaction to the news of positive pregnancy test. The medical assistants then reported the inquiry to a manager as a possible privacy violation.
• #13: Everett Clinic, in Everett Washington, uses Fair Warning software which red-flags unauthorized access to ePHI. Not long after they started using Fair Warning, 13 staff members and physicians were fired due to various incidents involving inappropriate access. Becky Hood, CIO of Everett Clinic says, “Our policy leans toward no-tolerance [of record snooping], but we’ll investigate each situation to determine if the incident was malicious, accidental or if a staff member didn’t understand [the rules],”.
• #14: Consequences for record snooping can vary widely for different organizations. Some have a zero-tolerance policy. Some organizations institute a progressive system with the level of sanctions with the level of sanctions increasing for multiple violations or for particularly egregious violations. Sanction policy examples:
• #15: Level 1 – Accidental Breach Possible scenarios: Employee does not log off computer after use. Employee faxed the wrong PHI to another practice. Employee emails PHI to the wrong email address. Sanction: Warning and retraining Verbal warning documented in the employee’s file and mandatory retraining for the first offense. Continued offenses lead to progressive discipline up to and including termination.
• #16: Level 2 – Intentional Breach without Harmful or Dishonest Intentions Possible scenarios: Viewing patient records out of curiosity. Sharing PHI (any information that identifies the patient, including diagnosis or treatment, financial information, or photos) in personal communications or on social networks, because the information is interesting, not for treatment purposes.  Employee shares computer password. Discussing patient information in an unsecured area. Sanction: Written Warning & Re-Education, Possible Suspension Written warning documented in the employee’s file and mandatory re-education for the first offense. Continued offenses lead to progressive discipline up to and including suspension or termination.
• #17: Level 3 - Willful or Intentional Breach with Harmful or Dishonest Intentions Possible scenarios:Using PHI for personal gain (marketing without authorization). Using PHI to cause harm (exposing information to unauthorized individuals or social networks because of dislike for the owner of the PHI). Gives access to a restricted area to an unauthorized individual. Gives access to PHI to an unauthorized individual. Sanction: Termination Termination and possible legal action. Yes, we are all curious, but is record snooping worth the price of losing your job or possible legal action? Respecting privacy protects us all.
• #19: Conduct a security risk analysis, preferably guided by experienced compliance professionals. This step alone shows your practice’s due diligence in protecting confidential patient data, and is required by HIPAA. learly communicate your no-snooping policy to all employees. Every new hire should get both a written and verbal orientation to your practice’s zero-tolerance policy on snooping. This policy should also extend to all your business associates, including accountants, lawyers and IT professionals. Due to changes in HIPAA rules, your practice can now be fined if a business associate does the snooping. Give employees only the “minimum necessary” access to protected health information (PHI). Your receptionist doesn’t need access to clinical data, which eliminates the temptation to peek into Brad Pitt’s files – or those of an ex-spouse or neighbor. Password-protect medical files depending on “need to know.” Employees should be frequently reminded that your practice prohibits the sharing of passwords and user IDs.
• #20: Document a formal process for initiating and terminating access. Your office manager should establish and document controls for granting and terminating employee access to patient records — and access needs to be immediately shut down when an employee leaves the practice. Communicate and enforce disciplinary actions for snooping. Employees should know upfront what the consequences will be, such as suspension or termination of employment in cases of malicious intent. Conduct background checks. Follow ERISA rules, but conduct background and reference checks before new employees start the job. Many snooping violations go unreported, but running these checks will represent reasonable due diligence and may prevent costly fines and a tarnished reputation. Allow patients to restrict the sharing of PHI. You’re required to honor a patient’s special request for privacy (e.g., an ex-spouse of one of your nurses requesting that he/she not have access to PHI).
• #21: Record snooping can cause serious harm to your practice. Although there is no way to completely eliminate record snooping, there are steps you can take that will help protect your practice if a violation occurs.
• #22: Manage & Mitigate Risks