Having a mobile device stolen may lead to the largest exposures of Protected Health Information; however the most experienced cause of HIPAA security breaches is small scale snooping by employees, according to a study carried out by Veriphyr Identity and Access Intelligence.
The study asked healthcare groups about the security breaches their organizations had experienced, with 70% of the survey respondents claiming to have suffered at least one security breach. 35% of those respondents attributed the breaches to unauthorized access by staff.
Snooping was the biggest single cause of exposure of patient health information according to the survey with 27% of having suffered a violation when a staff member viewed medical records of friends and family, while 35% occurred when employees checked the medical records of their work mates.
The survey was carried out on medium to large healthcare groups; however there is no reason to suggest that small healthcare organizations do not suffer data breaches of a similar fashion.
Unauthorized access of a single patient record may not make mainstream news and the matter is not immediately reportable to the Office of Civil Rights, although the incident is still classified as a HIPAA violation and could potentially trigger a review by the OCR.
All patient records must be safeguarded and the appropriate administrative, technical and physical methods must be employed to keep all PHI secure and away from curious eyes. While it may not be possible to cut out unauthorized accessing of medical records in all cases, a monitoring system should be in case to ensure that if data is accessed by an unauthorized person, rapid action can be taken to mitigate the any harm.
Groups compliant with Meaningful Use must ensure that the ePHI of patients is safeguarded, with HIPAA also requiring adequate physical, administrative and technical safeguards to be implemented to secure electronic health data. The beginning point for assessing security risks in an organization is to conduct a Privacy and Security Audit. Only by thoroughly reviewing all IT systems, procedures and policies can potential security threats be identified and cut out.
When a Privacy and Security Audit is completed, healthcare groups must complete a four step procedure as detailed here:
- Complete a full risk analysis of all IT systems
- Overlook and update risk management policies and procedures
- Establish an employee sanction policy following HIPAA breaches and ensure it is communicated to all staff
- Make sure logins and data access are logged and access logs are checked regularly; any irregularities found must be investigated quickly
If individual employees must to have access to patient health records in order to perform their duties, there is little that can be done to stop those individuals from accessing data should they wish. It is therefore crucial for the staff to be advised of their obligations under Meaningful Use and HIPAA and be informed of the possibles outcomes of accessing ePHI without permission.
Groups may be able to eliminate the danger risk of employee snooping; but the risk can be reduced and, provided data privacy and security rules are followed, it is possible to restrict any harm caused and avoid a HIPAA violation fine.