Breaking Compliance News Blog

HIPAA question of the day: Do your employees snoop?

Posted by Margaret Scavotto, JD, CHC on 9/24/19 8:07 AM

Find me on:

Nurse snooped records of 1,309 patients

A medical center employee snooped medical records of 1,309 patients over 15 months. The nurse looked up records for patients assigned to herself, or to another nurse - but did not have a treatment reason to view the records. The patients were notified.

Car accident leads to firing of 12 employees for snooping

A health system suspended approximately 12 employees while it investigated a potential HIPAA breach. The investigation likely involves a fatal motor vehicle accident involving a health system employee. The driver and another passenger from the car accident were treated at local hospitals for injuries.

Receptionist fired for looking up co-worker contact info in EHR

A hospital operating room secretary was fired for twice accessing the EHR to find a co-worker’s phone number. First, the secretary was asked to find out if a co-worker would be coming in to work that day. The secretary could not find the hospital’s employee contact information sheet, so she logged in to the hospital’s EHR system to find the co-worker’s phone number (the co-worker had been a patient of the hospital). The secretary also used the EHR to find the co-worker’s phone number on another occasion.

The secretary was terminated because she did not have a work-related reason to access the co-worker’s EHR record. The secretary was replaced by a younger employee, which prompted the secretary to file an Age Discrimination claim against the hospital. The hospital won this case. The court found that the hospital had a legitimate, non-discriminatory reason for terminating the secretary (violations of hospital HIPAA and confidentiality policies).

What you can do

Car accidents, news stories, and other incidents can quickly make your patients “celebrities,” tempting employees to snoop. Sometimes, employees go to the EHR to look up information simply out of curiosity or convenience.

  • Train, train, train. To counter these temptations, your HIPAA training must be top-of-mind, rather than an annual or semi-annual reminder that is soon forgotten. Train staff vigilantly about the types of medical record access that are outside the scope of your policies and HIPAA.
  • Use your security program. Address snooping in your HIPAA security risk analysis and policies, and in your security management plan. Consider limiting access, and using access termination procedures, information system activity review, access log review, access controls, and setting up alerts within your electronic records system.
  • Take extra precautions when you have celebrities. You don’t have to be a Los Angeles provider to have celebrities. The Ebola virus made a Dallas hospital – and a few of its patients – front page news. Car accidents, criminals on the run, shootings, and other events can turn seemingly low-profile towns into front-page news. When you have a “celebrity,” take extra precautions. This might include admitting a patient under an alias, explaining the benefits of opting out of inclusion in the directory, conducting extra audits of medical records activity, and putting additional limits on medical record access.

chapter on snooping

MCS Signature November 2018

Topics: HIPAA

    Privacy Policy           Terms of Use