Yes, staff snooping of medical records is a privacy breach

August 1, 2016

Curiosity can be costly if your medical practice staff checks a patient’s medical record in certain situations, says a healthcare attorney.

A privacy breach can come in many forms. Breaches due to ransomware attacks have been grabbing headlines recently, and with good reason: the FBI estimates there are now an average of 4,000 attacks daily in the United States. But there are many other, even more common, types of privacy breaches which can be both embarrassing and potentially expensive for medical practices.

Matt Fisher, JD, co-chair of the health law group at Mirick O’Connell in Worcester, Massachusetts, says the problem he sees most often among his clients involves insider issues such as snooping which is inappropriate access to patient records by staff members. For example if someone on the staff sees a neighbor come into the office and, out of curiosity, checks the patient’s record to see why they are seeing a doctor, it is considered snooping and constitutes a breach of privacy.

Another example Fisher cites is if something happens in the community, such as a car accident or shooting, and someone in the office looks at patient records after watching the news to find out what happened.

Although such incidents may seem harmless, they still constitute privacy breaches, and carry all the same risks.

Even if the employee doesn’t do anything with the information, once it has been accessed, it is a breach. A likely scenario is that the employee chats about what they saw in the patient’s record with a friend. Fisher says, “It’s not financial harm, but it is reputational harm.”

Another form of snooping, according to Fisher, occurs when an employee leaves a practice. Employees may take information and then use it to contact patients in order to try to sell them products or to attempt to take them to the new employer.

 

Many electronic health records (EHR) systems have an auditing function which shows who is opening files, and such a tool can serve as a deterrent. It may not prevent snooping, but strong monitoring policies can mitigate the harm that could result from snooping.

In addition to using the auditing function regularly, Fisher suggests doing random checks on each employee through the HER on at least a monthly basis, to look for unusual activity. He says it is important to see what is being downloaded, and if an unusual pattern is observed, “it would be beneficial to investigate where that data are going to ensure that the use or access is appropriate.”

Finally, Fisher says that conducting a risk analysis is one of the most important ways to protect against privacy breaches. Risk assessments are being looked at more closely with the Office of Civil Rights (through the U.S. Department of Health and Human Services current round of desk audits, and Fisher says, has been addressed in all the recent settlements. Many organizations are either not doing risk assessments, or not taking them seriously. A risk assessment, according to Fisher, shows vulnerabilities, the likelihood of those vulnerabilities leading to a breach, and the potential harm that could result.

 

Related Content:

Opinion | News | Legal