Insiders stealing patient information are still a major threat to healthcare institutions. According to the Verizon 2020 Data Breach Investigations Report, insider threat actors account for 48% of all breaches in healthcare. Some of these are negligent mistakes, but too many are intentional.
This is a HIPAA violation which may require a public report to the HHS Breach Portal, or result in an investigation and costly fines imposed by the Office for Civil Rights (OCR) which enforces HIPAA.
Mayo Clinic Hit with Class Action Lawsuit
It could also result in an expensive lawsuit, as the Mayo Clinic found out last month when a patient sued under the Minnesota Health Records Act which prohibits unauthorized access to health records. The patient also sued for invasion of privacy and emotional distress, and the lawyers are seeking to expand the case into a class action to include all the affected patients. All because one former employee accessed the medical records of 1,600 patients. The distraction and time lost to the lawsuit, and legal fees added to potential dollar damages if the patients succeed, will be enormous. If OCR investigates, more time will be required, and fines imposed if the investigation uncovers major problems.
HIPAA does not provide individuals the right to sue for HIPAA violations, but breach of privacy lawsuits under state law are becoming more common. Federal class action lawsuits are also happening, claiming negligence, invasion of privacy, breach of contract, and breach of fiduciary duty, not under HIPAA but under other laws.
Eleven Healthcare Providers Reported Insider Snooping in 2020
In addition to Mayo Clinic, ten other hospitals and health systems reported that employees had snooped in the Electronic Health Records (EHR) systems in 2020, according to Becker’s Hospital Review. The health care providers are different sizes, and are from across the country, including Hawaii, Minnesota, Arkansas, Chicago and New York. Thousands of patients’ privacy was breached.
Under HIPAA, when employees violate the privacy of patients, covered entities and business associates are required to impose appropriate sanctions against them, up to and including termination for intentional acts. In each case, the employees responsible for the snooping were fired (unless they were former employees). The reason former employees are able to access EHR systems is usually because the employer neglected to change passwords and cut off their access. HIPAA requires strong access controls and failing to terminate access for employees who leave is a HIPAA violation.
Access Controls and Training are Essential
Covered entities and business associates must only allow access to records that are required for an employee’s job responsibilities. They must have strong password policies and prohibit access or password sharing. Internal system monitoring can also be used to uncover inappropriate access behavior.
HIPAA training is required of course, for many reasons – to explain the basics of HIPAA, instill a culture of compliance, and what each employee’s role requires to preserve patient privacy. During training employees should also be told the consequences of failing to follow HIPAA policies, including the sanctions they will face for violating policies.
Avoid snooping disasters and expensive lawsuits with the right guidance. The HIPAA E-Tool® shows you how to manage a top notch HIPAA compliance program with all the policies and forms needed, and a robust Risk Analysis module to keep you on track. It also includes workforce training, guaranteed to heighten awareness and reduce your risk of insider snooping.