Common reasons employees snoop
The OCR announcement does not specify why the 23 security guards were accessing the medical records, but the incident raises questions about why the security guards had access to protected health information (PHI) in the first place, Mr. Redding said.
“I have yet to have anyone explain to me why the security guards would have access to PHI at all, at any level,” he said. “Was it by design or was it by error?”
In 2019 for instance, dozens of employees at Northwestern Memorial Hospital in Chicago were fired for accessing the health records of former Empire actor Jussie Smollett. In another high-profile case, nearly a dozen emergency medical service employees were caught snooping through 911 records connected to the treatment and, later, death of Joan Rivers.
“Sadly, there is a lack of education around what compliance really means inside the medical industry as a whole,” Mr. Redding said. “There is a lack of employee training and a lack of emphasis on accountability for employees.”
Privacy breaches fuel lawsuits
Health professionals caught snooping through records are frequently terminated and employers can face a range of ramifications, including civil and criminal penalties.
A growing trend is class action lawsuits associated with privacy violations, Mr. Redding adds.
Because patients are unable to sue in civil court for HIPAA breaches, they frequently sue for “breach of an implied contract,” he explained. In such cases, patients allege that the privacy documents they signed with health care providers established an implied contract, and their records being exposed constituted a contract breach.
“Class action lawsuits are starting to become extremely common,” Mr. Redding said. “It’s happening in many cases, even sometimes before Health & Human Services issue a fine, that [providers] are being wrapped into a class action lawsuit.”
Mayo Clinic, for example, was recently slapped with a class action suit after a former employee inappropriately accessed the records of 1,600 patients. Mayo settled the suit in January 2023, the terms of which were not publicly disclosed.
Multiple patients also filed a class action suit against San Diego–based Scripps Health after its data were hit with a cyberattack and subsequent breach that impacted close to 2 million people. Scripps reached a $3.5 million settlement with the plaintiffs in 2023.
Some practices and employers may also face state penalties for data privacy breaches, depending on their jurisdiction. In July, Connecticut became the fifth state to enact a comprehensive data privacy law. The measure, which creates a robust framework for protecting health-related records and other data, includes civil penalties of up to $5,000 for violations. Other states, including California, Virginia, Utah, and Colorado, also have state data privacy laws on the books.
How can practices stop snooping?
A first step to preventing snooping is conducting a thorough risk assessment, said David Harlow, a health care attorney and chief compliance and privacy officer for Insulet Corporation, a medical device company. The analysis should address who has access to what data and whether they really need such access, he said.
“Then it’s putting in place the proper controls to ensure access is limited and use is limited to the appropriate individuals and circumstances,” Mr. Harlow said.
Regulators don’t expect a giant academic medical center and a small private physician practice to take an identical HIPAA compliance approach, he stressed. The ideal approach will vary by entity. Providers just need to address the standards in a way that makes sense for their operation, he said.
Training is also a critical component, adds Mr. Sims.
“Having training is key,” he said. “Oftentimes, an employee might think, ‘Well, if I can click on this data and it comes up, obviously, I can look at it.’ They need to understand what information they are and are not allowed to access.”
Keep in mind that settings or controls might change when larger transitions take place, such as moving to a new electronic health record system, Mr. Sims said. It’s essential to reevaluate controls when changes in the practice take place to ensure that everything is functioning correctly.
Mr. Sims also suggests that practices create a type of “If you see something, say something,” policy that encourages fellow physicians and employees to report anything that looks suspicious within electronic logs. If an employee, for instance, is suddenly looking at many more records than usual or at odd times of the day or night, this should raise red flags.
“It’s great to stop it early so that it doesn’t become a bigger issue for the practice to deal with, but also, from a legal standpoint, you want to have a defensible argument that you were doing all you could to stop this as quickly as possible,” he said. “It puts you in a better position to defend yourself.”
The snooping security guards case holds an important lesson for all health providers, Mr. Harlow said.
“This is a message to all of us, that you need to have done the assessment up front,” he said. You need to have the right controls in place up front. This is not a situation where somebody managed to hack into a system for some devious means. This is someone who was given keys. Why were they given the keys?”
A version of this article first appeared on Medscape.com.