Whether it's the result of sheer curiosity or motivated by an act of malice, EHR snooping is a serious employee offense that can occur at any hospital.
The Medical University of South Carolina in Charleston fired 13 employees in 2017 for viewing patient records without authorization. Earlier this year, Chicago-based Northwestern Memorial Hospital terminated approximately 50 staff members who inappropriately accessed actor Jussie Smollett's medical records. One employee told NBC Chicago she was fired on the spot.
"Simply put, it was morbid curiosity," the former employee said of viewing Mr. Smollett's health information. "I went into the charting system and started to search his name. I clicked just once. I never clicked into his chart."
Curiosity can also tempt employees to look at health records of patients they know personally, from family members to coworkers. Between 2016 and 2017, HHS reported that 1,309 records were inappropriately accessed by a single employee at a healthcare organization.
In March, a patient at Winfield, Ill.-based Northwestern Medicine Regional Medical Group sued the health system and a former employee for allegedly accessing her health records and posting them on social media. The lawsuit claimed the former employee viewed the patient's medical records before sending them to her ex-boyfriend, who posted the information on Twitter.
"In some instances, an employee believes they are helping a friend or loved one by looking at their chart and then providing guidance as to which provider to seek care from or how to assist with scheduling an appointment, " Penn Medicine CIO Michael Restuccia said. "In other situations, an employee is simply curious regarding a friend or loved one’s health, reason for an appointment or perhaps changes in behavior. Regardless of the reason, without written consent, both situations represent inappropriate employee behavior."
While some employees have faced termination for EHR snooping, others may even experience legal ramifications. In June, a former Pittsburgh-based UPMC care coordinator was sentenced to one year in federal prison for illegally accessing and disclosing 111 patients' medical records. After getting fired from UPMC in June 2017, Lisa Kalina, 62, then went onto work for Allegheny Health Network in Pittsburgh, where she inappropriately disclosed patient health information yet again. In addition to her prison sentence, Ms. Kalina faces three years of probation.
HHS' HIPAA privacy and security rules require hospitals and health systems to implement sanctions against staff members who violate privacy and security policies, such as EHR snooping. However, the office leaves the responsibility of determining appropriate punishment up to the healthcare organizations, an OCR spokesperson said in an emailed statement to Becker's Hospital Review.
How to bust it
While EHR snooping may not be completely preventable, there are controls hospitals can implement to better monitor employees who access the EHR, such as audit logs. Enabling audit logs within the EHR can gives hospitals the ability to analyze user activity, including log-on attempts and record editing.
"Once enabled and configured, [hospitals] should implement processes to review user activity to identify potential unauthorized access or misuse of health information," according to OCR. "Regular reviews of audit logs can assist in identifying suspicious activity as it is occurring as well as provide a record to reconstruct events that happened in the past."
Additionally, under the HIPAA Security Rule, covered entities, such as hospitals and health systems, are required to add role-based access controls that can restrict EHR access to individuals based off their specific job position, such as a physician, scheduler or biller, according to OCR. Hospitals may even consider implementing abilities to lock or prevent access to patient medical records that could be at a higher risk for unauthorized viewing, such as celebrities or employees who are also patients, without additional authorization.
How hospitals are preventing it
NewYork-Presbyterian Hospital partnered with Splunk, an information security company, to develop a patient privacy platform that uses correlation and machine learning technology to identify potential instances of EHR snooping.
"This includes employees who browse coworker records, view excessive numbers of records or those of a high-profile patient," said Jennings Aske, senior vice president and CISO at the New York City-based health system. "NYP has also implemented advanced security software to protect high-risk IT accounts from being hacked and used by cyber criminals or insider threats."
At Philadelphia-based Penn Medicine, employees receive ongoing education from initial orientation to annual mandatory data privacy and security-training sessions to best differentiate between appropriate and inappropriate access to patient data.
Additionally, the health system implemented an electronic surveillance tool that can identify any suspicious access of patient health records. The tool generates a detailed report of patient data accessed, which Penn Medicine's Data Privacy Compliance team reviews during an investigation of the suspicious behavior.
"In many instances, the investigation reveals that the employee had a valid reason for accessing the records, [for example, a] consult or new member to care team," Mr. Restuccia said. "Unfortunately in other scenarios, the investigation reveals inappropriate access and action [is taken] ranging from a warning to employee termination."
Beaumont Health in Southfield, Mich., also uses a machine-learning tool within the EHR that can monitor each access a workforce member makes in the system, according to Kelly Partin, Beaumont Health senior director of compliance. After performing a review of the staff member's job position and work location, among other factors, the tool can flag suspicious access for further investigation.