By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure
Snooping into medical records is a long established privacy concern. It is one of the classic examples of how a data breach can occur because it trades on an individual’s natural curiosity that must be contained. Despite snooping being a widely known concern, it still occurs. In fact, it forms the basis for the most recent settlement of an alleged HIPAA violation by the Office for Civil Rights.
The Settlement
The HIPAA settlement announced on June 15, 2023 addressed snooping into medical records by security guards. The settlement announced by OCR was with Yakima Valley Memorial Hospital (Yakima) located in Washington. OCR received a complaint on February 28, 2018 and commenced an investigation on May 18, 2018. The somewhat dated nature of the conduct follows a recent trend in OCR’s settlements, which go back a bit in time.
The announcement of the settlement, not the resolution agreement, noted that 23 security guards working in Yakima’s emergency department used login credentials to access and view patient information. OCR clearly stated that the access was not related to the job functions or duties of the security guards. The information viewed by the security guards included names, dates of birth, medical record numbers, addresses, some of the treatment notes, and insurance information.
As part of the resolution agreement, OCR asserted that its investigation found security policies and procedures lacking. Interestingly, the specific missing elements were not identified. Just a blanket statement that Yakima failed to implement reasonable and appropriate policies to comply with the requirements of the Security Rule. Given the nature of the conduct, it seems safe to guess that Yakima did not have appropriate access policies that would identify who should actually have the ability to see and interact with patient information.
All of the deficiencies amounted to a settlement with OCR for $240,000. That amount is arguably somewhat in the middle range of what OCR will accept to settle an alleged HIPAA violation. As always, there is not much insight into how the settlement amount was determined. It is left up to speculation and conjecture.
Settlement Takeaways
The first and likely biggest question to ask about the Yakima settlement is why could the security guards access patient information? Does the security guard role require access to the electronic medical record or any other detailed patient information? Arguably, the security guard role is to be onsite and help maintain safety for patients, staff, and others visiting the hospital. It is not clear that that role requires any access, let alone unfettered access to patient information.
What should Yakima have done to better protect patient information? Without knowing what if any actions were taken in reality, the first step is to assess each role in an organization and identify the scope of responsibilities for each role. Once the specific job functions of each role have been established, then an organization should determine what, if any, access each role requires. As a role becomes more remote from any connection to the delivery of services to patients or overseeing any service related to patients, the ability to access patient information should be more carefully vetted.
Given the wide variety of roles that can be filled in a hospital or other healthcare facility, there will certainly be some roles that do not require any access to patient information. If that is the case, then it is fine to keep individuals filling those roles out of systems containing patient information.
The Security Rule is very clear under the section addressing administrative safeguards that an assessment of roles and access for each role must occur. The workforce security standard first states that workforce members should have appropriate access and then individuals who do not have access should be prevented from accessing protected health information. That standard makes it explicitly clear that access cannot (or should not) be handed out like candy.
Given that access should be prevented for certain roles, the easiest way would be to just deny usernames and passwords to those systems. Alternatively, if some low level access is justified, then restrictions should be put on the account to prevent free access to all information in the system.
Controlling the scope of access is one way to help mitigate the potential for snooping. If an individual cannot get into a system, then the temptation to just take a peek at information can be removed. Additionally, organizations should constantly monitor and audit access to systems containing protected health information to other patient information. The audit part is important because that is the component where patterns or other items of concern can actually be identified.
Remember, there are always risks to patient information. Take the time to minimize the likelihood of those events occurring, especially the ones that are under an organization’s control.
This article was originally published on The Pulse blog and is republished here with permission.