Internal security threats

June 3, 2005

I recently caught a staff member who isn't authorized to view protected information looking up the electronic medical record of a patient whom she knows socially. Was this a violation of the security rule?

Q: I recently caught a staff member who isn't authorized to view protected information looking up the electronic medical record of a patient whom she knows socially. Was this a violation of the security rule?

A: Yes. If you transmit or store protected data electronically, you must take steps to guard against internal threats to electronic patient information. Fortunately, many internal security threats can be dealt with effectively simply by having the proper policies and procedures in place, including passwords that restrict unauthorized computer access.

The security rule also requires that you take appropriate actions to guard against external threats-such as a hacker intercepting a confidential e-mail you've recently sent to a patient. These actions may be more difficult, because you must consider whether the implementation of certain technical measures-such as the use of encryption to secure e-mails or e-mail attachments-is called for.