Prying eyes: Protecting patient records

Cases of identity theft steal headlines, but simple curiosity is the biggest culprit for security breaches inside hospitals and practices. Here's how to prevent it -- and how to catch the snoopers.

By Pamela Lewis Dolan — Posted Oct. 1, 2007

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Electronic access to patient data has made it easier to look up information -- sometimes too easy.

You've probably heard stories about employees or others tapping patient information systems for identity theft. But the more frequent problem is snooping -- curious staff or others with system access who look at information they're not authorized to see.

It sounds innocent, but HIPAA and an increasing number of state laws that cover disclosure of information breaches don't make distinctions based on intent. An information breach is an information breach, which means physician practices not only have to find ways to keep gawkers away but also must be ready to carry out consequences -- or face them -- if a breach occurs.

A case in point: New Hampshire Orthopedics in Manchester, N.H., discovered that someone who wasn't supposed to look at a patient's information had done so -- and was telling others about what was in the file.

An employee had tapped into the electronic medical record system of Elliot Health System, which the practice and employees were authorized to use. The patient whose files were breached was an employee at the orthopedic practice. When workers started to gossip about what they had found, a practice manager contacted Elliot, which used a system audit to trace the breach back to two employees.

New Hampshire Orthopedics fired the employees, but Elliot was in the hot seat, as state law required the hospital to file a disclosure and contact the patient. The practice's name was included in the publicly available report.

The hospital launched a "robust" effort to educate employees, doctors and contracted EMR users, said Katherine St. Jean, Elliot's director of compliance, who headed the investigation. New Hampshire Orthopedics deferred comment to her.

Everyone needs to know that "you don't need to go into that record if you don't have a part in the treatment for that patient," St. Jean said.

Tighter laws and policies

Before HIPAA, the culture inside the practice was very different, St. Jean said, and paper-based systems were conducive to that culture. If doctors or nurses were curious about a patient, they took a quick look at the file, which could be taken easily from a shelf or a file holder.

Even though most peeks are still innocent, they now violate laws. The struggle is in reprogramming people, St. Jean said.

Many don't understand that an innocent peak can be illegal, said John Christiansen, a privacy attorney from Seattle.

"If you don't have a legitimate purpose for looking at a record ... the fact is you are creating a disclosure of the information to yourself, and that is illegal," Christiansen said. "The fact that you didn't share the information is a good thing -- it minimizes the potential for harm -- but there's no distinction in the law for 'no harm, no foul.' "

And if a practice is allowing it to happen, or not doing enough to prevent it, practice owners could be liable as well, he said.

Under the law, practices are required to keep patient records confidential. So even the most benign breaches need to be addressed, Christiansen said. If they aren't, and a major violation occurs and an investigation is launched by the Office of Civil Rights, the last thing you want to do is give the impression that you aren't serious about patient privacy, Christiansen said. A pattern of noncompliance could result in action by the Justice Dept., though so far, it hasn't prosecuted any cases along those lines.

Legal doesn't always mean OK

HIPAA does not mandate how practices should deal with non-criminal breaches of security. But at the very least, practices can find themselves faced with major headaches or bad publicity. Notification laws that are now in place in at least 35 states require practices to inform patients of any breach, and in some cases, those laws, like New Hampshire's, require public disclosure to a state regulator as well.

There is an effort to make such rules national. Earlier this year, Sens. Patrick Leahy (D, Vt.) and Edward Kennedy (D, Mass.) introduced their proposed Health Information Privacy and Security Act, which would require notification within 15 days of a breach.

Regardless, experts believe hospitals and practices should notify patients every time a breach occurs, no matter how severe or mild.

St. Jean admits that notifying patients every time a minor breach occurs can make her job hectic. But "I think that it's advantageous for the patients to see how quickly we respond to this, and they know we do take it seriously."

St. Jean said the patient in the orthopedic practice case was "a little taken aback" when St. Jean called to tell her what happened, but in the end was happy she had been told.

As an attorney, Christiansen said he advises clients to look at HIPAA as "the floor, not the ceiling" when it comes to establishing policy. That applies not only to notification laws but also to creation of policies on how patient records are handled in your practice.

Marlene Giesecke, RN, a consultant for PivotHealth who is on assignment at Queens Long Island Medical Group in New York, said policies should spell out exactly what is and is not allowed and the penalties for breaking the rules.

Even though most EMR systems have role-based access, a tool that makes the systems HIPAA compliant, access doesn't equate to a legal right to review a file. The practice's policies should reiterate HIPAA rules and restrict access only to information needed to do one's job, even if the system allows other access, experts say.

Punishment for breaking the rules can vary based on severity, but the policy should be clear as to what the consequences are, Giesecke said.

Everyone also knows that mistakes happen and that the wrong file can be opened inadvertently. Experts say policies should distinguish between mistakes and violations, but it should be established at the time of an employee's hire, or when an EMR is brought into the practice, that patient privacy is a serious matter and that a pattern of slip-ups will not be tolerated.

Christiansen believes in the "three strikes and you're out" rule when it comes to mistakes. He suggests a warning for the first offense, probation and close monitoring the second time, and suspension or termination for the third offense.

Easier to snoop -- easier to catch

The auditing function in most EMRs can help a practice determine if a breach was a mistake or whether snooping is widespread in the office.

At its most basic level, the audit shows which files were opened when and by whom. Giesecke described obvious red flags: files opened outside of office hours; an extraordinary number of files opened compared with the number of patients seen; files changed by non-physicians; the opening of files belonging to VIPs, employees or family members of employees; and for larger practices, files opened by employees in a department different from the one where the patient was seen.

A more detailed audit can help distinguish mistakes from snooping. For example, if a file for Jonathon Smith was opened by an employee who claims she was looking for Johnathon Smith, experts say the audit can show how long the "wrong" file was opened, which file the user went to next, and a history of files the user opened.

Jack Danahy, chief technology officer and co-founder of Ounce Labs, a Waltham, Mass.-based company that analyzes software for possible security risks, said establishing a strict environment is the best way to prevent violations.

Simply telling employees they are being watched helps prevent many cases of snooping.

"If it's known there is a log that goes out at the end of the week that records who looked at what ... they are less likely to snoop," he said.

But an audit function is effective only if it's regularly used, Giesecke said. She recommends running an audit that looks for red flags at least once a month. Other audits can include a more detailed look at employees on probation or under suspicion.

An audit also can be done on a specific patient's file, which was how St. Jean at Elliot determined the employees at New Hampshire Orthopedics had illegally accessed the files of their co-worker.

In addition to an audit, a warning can be placed on vulnerable files that will pop up every time such a file is about to be opened, stating that activity on the file will be watched closely. Giesecke said this warning is placed on every file her practice feels could raise curiosity, including files of employees and their families.

Even though accessing an electronic file is physically easier than pulling a paper file off a shelf, St. Jean said the technology has made the files more secure.

If the hospital had been working with paper files, "there would have been no trail," St. Jean said.

"It really has never been so secure, and that's a really good thing for us and our employees ... but also for all our patients."

Back to top


Privacy complaints

The Office of Civil Rights, a division of the U.S. Dept. of Health and Human Services, received 29,276 HIPAA complaints between April 14, 2003, when it began enforcing the law, and July 31, 2007. Of 23,037 cases that were closed, 7,380 required an investigation. Two-thirds of those investigations resulted in a "corrective action" -- mainly, some change or clarification in policy from the investigated entity. Only four cases have resulted in criminal convictions or guilty pleas, and three of those involved practice employees engaged in identity theft. The fourth case involved the cousin of one of those employees. A breakdown of OCR investigations:

Total investigations No violation Corrective action
2003 339 79 260
2004 1392 359 1033
2005 1803 642 1161
2006 2466 895 1571
2007 1380 453 927

Note: 2007 data is as of July 31.

Source: Office of Civil Rights, U.S. Dept. of Health and Human Services

Back to top

Into the breach

At least 38 states have laws that require notification when personal information is breached, but the laws vary in terms of what needs to be disclosed and to whom. Laws are also inconsistent regarding what types of breaches need to be reported, with some mandating reporting of only those that occur with criminal intent and others requiring notification of all breaches. Some examples are below:

Delaware: Requires immediate reporting to the Delaware Dept. of Justice if personal information is breached. The law specifically includes medical information as personal data.

Hawaii: Requires notification to the person whose data was breached. The notification must include a description of the type of breach. A breach of more than 1,000 people requires notification to the state's Office of Consumer Protection and the national credit bureaus.

Kansas: Notification to the person affected must be made if an investigation finds a security breach occurred or is likely to occur. Credit agencies must be contacted if more than 1,000 people are affected.

Louisiana: Rapid notification is required only if an investigation finds there is reasonable likelihood of harm to those whose information was breached.

New Hampshire: Notification of all breaches is required to those affected and to the attorney general.

New York: Any affected person, the attorney general, the state's Consumer Protection Board and the Cyber Security and Critical Infrastructure Coordination Office must be notified of all breaches.

Oklahoma: Requires immediate notification in case of data breach, but the law applies only to data held by state agencies.

Source: List compiled by the law firm of McDermott Will & Emery, Chicago

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn