Snooping of Protected Health Information (“PHI”) is perhaps one of the largest causes of breaches. Some studies estimate a quarter of all breaches are the result of snooping.
Perhaps Snooping is Largest Cause of Breaches
Snooping is sometimes viewed as insignificant; for instance, when a parent who may also be an employee of your organization, uses their own access to review the records of their child. However, if that parent is not involved in the child’s health care within the clinical context, they do not have a need to access that information. Accessing that information would be impermissible, and a HIPAA violation. Snooping is also common for high profile patients (i.e. individuals in the news or celebrities) as well as acquaintances (i.e. friends, colleagues, neighbors, etc.).
Guarding Against Snooping
In addition to being one of the most prevalent causes of PHI breaches, snooping can also be one of the most difficult to guard against. Here are some tips at guarding against snooping.
Implement strong access control: This begins with a clear access control policy that clearly defines what access is prohibited. It also combines audits of access logs to ensure staff are not accessing any PHI impermissibly;
Staff training: Consistent reminders to staff about snooping (among a plethora of other issues) is the best way to communicate to staff that you take this issue seriously and are reviewing logs to enforce the policy;
Consider restricting sensitive records: Most electronic health records will allow you to restrict who has access to certain records. This is much easier if you know a child of an employee is a patient, but it is harder when it is an acquaintance of staff. If this has been an issue for your organization, you might consider asking all new patients if the know anyone who works at your organization. If they do, and that staff member is not involved in their care, you might consider restricting that person from accessing that record.
Snooping, like many other aspects of keeping PHI privacy, requires vigilance and creative solutions. Due to the prevalence of snooping, and the ease with which it can be done, appropriate safeguards are necessary.