EHR audit catches snooping employee

Nearly 900 notified of new HIPAA breach
By Erin McCann
11:06 AM
Share
Snooping employees
Electronic health records not only enable faster access to real-time patient data; they also make it a heck of a lot easier to catch snooping employees who inappropriately view patients' confidential information, as one California hospital has observed this past week. 
 
Officials at the 785-bed California Pacific Medical Center in San Francisco – part of Sutter Health system – notified a total of 844 patients Jan. 23 after discovering a pharmacist employee had been inappropriately snooping on patients' medical data for an entire year.

The incident was discovered after the hospital conducted an EHR audit back in October 2014. When it was first discovered only 14 individuals had had their PHI compromised. 

 
 
Following an "expanded investigation," hospital officials discovered the HIPAA breach was significantly larger than they had originally found, with 844 additional patients being identified as having their information inappropriately accessed. The staff member, whose employment has since been terminated, snooped on patient records from October 2013 to October 2014, including patient demographics, clinical diagnoses, prescription data and clinical notes. 
 
As officials pointed out, the hospital has "reiterated to all staff that policy allows them to access patient information only when necessary to perform job duties and that violating this policy may result in loss of employment," they wrote in a Jan. 23 press notification. 
 
The biggest way to avoid the employee snooping problem? Audit your users and the data, said Suzanne Widup, senior analyst on the Verizon RISK team, who spoke to Healthcare IT News in spring 2014 on Verizon's annual breach report. "You need to know who has the data, who has access the data, and you need to monitor it," Widup pointed out. "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before."
 
 
This snooping incident at California Pacific Medical Center is far from an isolated event. As more hospitals conduct more regular EHR audits, cases like this are only increasing in number. 
 
One of the more egregious incidents was reported by the five-hospital Riverside Health System back in December 2013. Following a random company audit, officials discovered an employee had unrestricted access to Social Security numbers and clinical data of close to 1,000 patients for a period of four years. 
 
Then, of course, there was the HIPAA breach at University Hospitals just in December, where an employee had been reading confidential medical records of nearly 700 patients. What's more, the employee had unfettered access to the records for nearly three and a half years before being discovered and was only caught because the health system had received a snooping complaint. 
 
This kind of employee behavior has long been on the minds of chief information officers nationwide. 
 
In an interview with Texas Health Resources Chief Information Officer Ed Marx this past summer, he told us: "The biggest risk, as much as we talk about the hackers and people trying to get in and steal healthcare data, I think the biggest risk is still the individual employee who maybe forgot what the policy was and does something they shouldn't do."
 
 
Out of the nearly 42 million individuals that have had their protected health information compromised in reportable HIPAA privacy and security breaches, nearly 13 percent of them involve inappropriate access or disclosure of patient records, according to data from the Department of Health and Human Services.