Curiosity Has Its Cost

Back in June, the victims of the horrific Orlando shooting at Pulse Nightclub were also victims of a privacy breach when their personal health information was accessed without authorization by a few curious employees at Orlando Health Hospital. The hospital confirmed that employees have previously received HIPAA training on patient privacy. However, they are now retraining staff and increasing auditing and monitoring of patient records in response to the breach. Experts say the hospital could be responsible for penalties up to $100,000 depending on the severity. A high price for personal curiosity. 

According to a study reported in the HIPAA Journal the most common cause of HIPAA security breaches is small scale snooping by employees. For example, if an employee see’s their neighbor or friend visiting the office and out of curiosity looks at the patient’s record to see why they are there, this is considered a breach of privacy. Another similar example is if an employee sees something on the news such as a car accident or shooting and reviews a patient record to find out what has happened. Both are common examples of employees snooping or being curious and violating HIPPA patient privacy laws. This type of breach not only puts an organization or medical practice at risk for a violation or hefty penalty, but it also threatens the organization’s reputation and damages patient trust.

Civil penalties for a HIPAA violation can range from $100 to 1.5 million. Criminal penalties can include up to $250,000 in fines and possible imprisonment for up to ten years depending on the severity. To protect patient privacy, and avoid such hefty penalties organizations, and medical offices must be vigilant about making security a priority. The following are a few best practices to prevent a privacy breach from happening: 

• Perform privacy and security audits. Many EHR’s have auditing functions which can be used as a tool to conduct audits and monitor files. 
• Monthly randomized checks on employees accessing files can also be conducted to look for unusual activity. 
• Review and update risk management policies and procedures.
• Restrict access of patient information to only necessary personnel.
• Develop an effective on-going training program to ensure that employees are informed of HIPAA patient privacy laws. 
• Implement rigorous hiring procedures and conduct background checks to reduce the risk of internal fraud.

While it may not be possible to prevent all employees from snooping, the risk of a breach can significantly be reduced by implementing an effective ongoing training program. If you or your medical office has a question regarding HIPAA privacy laws or HIPAA employee training, contact the experts at MedSafe at 1-888-MEDSAFE or visit our website at www.medsafe.com.