Need for Access Controls and Alerts Highlighted by Internal Staff Snooping Incidents

Ransomware, malware and unaddressed software weaknesses pose a danger to the confidentiality, integrity and access to PHI, although healthcare groups should put in place processes to deal with the threat internally. This year has seen a multitude of cases involving employees snooping and accessing medical records without permission.

The HIPAA Security Rule 45 CFR §164.312(b) requires covered organizations to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or useelectronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered organizations to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Logs create an audit trail that can be reviewed in the event of a data violation or privacy incident. Those logs can be checked to see which records have been accessed without official permission.

If those logs are reviewed continuously, privacy breaches can be seen quickly and action taken to limit damage. However, recent incidents have shown that while access logs are maintained, they are not being regularly monitored. There have been numerous recent cases of workers who have improperly accessed patients’ medical records over a duration of several years.

Recently, Beacon Health announced an employee had been found to have improperly accessed the medical records of 1,200 patients without any legitimate work reason for doing this. That member of staff had been snooping on medical records for a period of three years.

In March, Chadron Community Hospital and Health Services in Nevada discovered an employee had viewed the medical detailss of 700 patients over a period of five years and St. Charles Health System in central Oregon discovered an employee had accessed medical records without permission over a 27 month period.

Also in March, Trios Health discovered an employee had improperly viewed the medical details of 570 patients. The improper access happened over a period of 41 months.

Rapid detection of internal privacy breaches is vital  when limiting damage. Even when snooping is identified relatively quickly, the privacy of many thousands of patients may have already been breached. In January, Covenant HealthCare advised 6,197 patients of a privacy breach after an employee was discovered to have improperly accessed medical details over a period of 9 months, while a Berkeley Medical Center employee accessed the ePHI of 7,400 patients over a duration of 10 months.

Healthcare groups may feel it is inappropriate to limit access to patients’ PHI, but a system can be put in place that will alert staff to improper access quickly. Software solutions can be used to identify improper access and alert appropriate members of staff in near real-time. If such systems are not adopted, regular audits of ePHI access logs should be completed. Regular monitoring of ePHI access logs will allow groups to prevent large-scale breaches, reduce legal liability and reduce the harm caused by rogue members of staff.

Author: Maria Perez