On-the-spot Email Interventions Minimize Recurring Medical Record Snooping Cases by 95%

New research shared in JAMA Open Network revealed that quick intervention right after an incident of unauthorized access to protected health information (PHI) by medical staff is 95% efficient at stopping recurring offenses.

Healthcare data breaches are happening at high levels, and although big data breaches tend to be the consequence of hacking as well as other IT cases, insider breaches like snooping on healthcare records are widespread. Based on HHS information, in 2019, 92% of both big and small breaches were linked with unauthorized access.

Even though many incidents of staff snooping on the healthcare records of VIP individuals were mentioned in the press, these sorts of snooping cases are fairly unusual. It is a lot more prevalent for medical care staff to access the healthcare data of members of the family, friends, and co-workers, and those privacy breaches could be equally harmful to patients.

All incidents of unauthorized access begin with a staff viewing one patient file, however, they may easily become serious data breaches when unmonitored. There were a number of cases of medical workers accessing the healthcare information of a large number of patients with no permission over many years if the unauthorized access isn’t immediately discovered and resolved.

Research done by Bai, Jiang, and Flasher in 2017 discovered the threat of data breaches was greater at big academic healthcare centers compared to other hospitals. About 1/4 of the data breaches had been incidents of staff viewing patient data with no consent.

The latest research called Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information: A Nonrandomized Controlled Trial, carried out by researchers at Johns Hopkins, Michigan State University, and Nick Culbertson, Co-founder and CEO of the medical care compliance analytics company Protenus, looked into the efficiency of email alerts at stopping repeat offenses by workers.

From January 1 to July 31, 2018, a system that checked unauthorized PHI accessing at a big academic hospital flagged unapproved accessing of electronic health records by 444 staff members, who were specialized medical personnel not involved with the patient’s intervention team and didn’t have access authorization.

A team of 219 staff members was chosen at random and got an email notification on the evening of their access. The email mentioned that the person was discovered to have accessed a patient’s electronic health record without any work-related reason, and that was a violation of privacy. The rest of the 225 staff members belonged to a control group and got no email notification.

In the team that got an email warning, 4 out 219 employees continued to access patient data with no consent on another occasion within 20 to 70 days after the first unauthorized access. In the control group, 90 of the 225 employees viewed the PHI of patients again with no consent within 20 to 70 days following the first unauthorized access.

Although there were restrictions of the study and the results may not apply to other hospitals, it shows that on-the-spot involvement can be very effective at stopping more privacy violations and that when no action is undertaken, staff members will probably go on to access patient information violating the HIPAA Regulations.

What an email notification can do to dissuade unauthorized access by employees is amazing. A basic email can cause big transformations. For the period of the test, no disciplinary action was imposed on any employee. Disciplinary action was imposed after the test was finished on all staff members involved for breaking the PHI access guidelines of the healthcare center, which forbids staff members from accessing the data of loved ones, co-workers, friends, or other people with no prior written consent.


About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone