It’s become a near daily occurrence in our headlines; security breaches and data theft are an unfortunate consequence of modern technology. Typically, it’s the large-scale insider theft or loss of protected health information that makes the news, but the reality is that small practices are not immune to patient record snooping.
According to a recent Healthcare Information and Management Systems Society (HIMSS) security survey, 80 percent of healthcare IT professionals identified snooping on personal patient information by employees to be the top threat motivator for breaches. But not all snooping is conducted for the purpose of criminal activity. In fact, snooping is more often done out of curiosity, peering into the records of friends, relatives or co-workers. Regardless of how minor the violation may seem to the perpetrator, patient record snooping is still a HIPAA breach that can result in fines of $1.5 million PER VIOLATION in cases of willful neglect. Most data breaches involve multiple violations, so it’s critical to take a proactive approach to ensure the security of your patients’ data.
As a small practice, it’s sometimes easy to become complacent with reinforcement of privacy and security policies and procedures with employees, but it’s important to take steps to avoid potential fines and damage to your reputation.
Here are a few tips to help curb snooping in your practice:
Conduct a security risk analysis:
There are a myriad of required assessments for both Meaningful Use and HIPAA compliance, including administrative, physical and technical security of patient information. Ideally, this analysis should be guided by an experienced compliance professional.
Have a clear employee sanction policy and review with staff regularly:
Every new hire should have both written and verbal orientation to a zero-tolerance policy on snooping. This policy should also extend to all business associates, including accountants, attorneys and IT professionals who may have access to patient records.
Let employees know that activities are being monitored:
What’s measured matters. When employees are aware that their access is under regular scrutiny, it may cause them to think twice before doing something inappropriate. It’s also best to eliminate temptation and give access to only the minimal necessary data, along with keeping up-to-date password protection on files and prohibiting password sharing.
Regularly audit who is accessing patient records and develop a formal process for providing access:
Your office manager should create controls for granting and terminating employee access to patient records. Access needs to be monitored regularly and modified as roles change and employees leave the practice.
Data from the Department of Health and Human Services indicates that more than 41.4 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach. While a major healthcare system can take a million-dollar security fine hit and keep going, costly violations like this can ruin a small practice. Make certain to keep your practice safe and secure.
If you have additional questions, please contact your KB Healthcare Consulting Senior Medical Consultant, Johna Kennedy-Preston, CPC, at (941) 953-7451 ext. 1423 or .