University Medical Center in Tucson has fired three clinical support staff members and a contracted nurse for "inappropriately accessing confidential medical records," the hospital reported on its website Wednesday.
The records were related to Saturday's shootings at a Tucson supermarket that killed six and wounded 13 -- including U.S. Rep. Gabrielle Giffords (D- AZ).
"We are not aware of any confidential patient information being released publicly," the hospital said in a statement.
Mayo Clinic fired an employee who worked in a business center in Arizona for accessing nearly 2,000 patient medical and financial records over a four-year period, the Post-Bulletin of Rochester, MN, reported in September. The employee's access rights covered all Mayo Clinic patient records at all Mayo sites.
Officials discovered the breach in mid-July. They did not release the name of the healthcare worker.
"This activity took place between 2006 and 2010. An internal investigation was immediately launched. Following a thorough review of the facts, the person was fired," according to a Mayo statement.
Some facilities use "honeypots" as bait to catch snooping staff members who are in violation of HIPAA. "Honeypots," also referred to as "honeynuts," are fictitious medical records that IT monitors to determine if anyone is accessing them.
The terms honeypots and honeynuts derive from the notion that if you want to catch birds, you scatter birdseed. Use these tips regarding honeypots to catch snoopers and respond accordingly:
- Gain executive sponsorship. "Using a honeypot implicitly communicates we don't trust our staff, even though we know that insider snooping is by far the most common cause of privacy or security breaches," John R. Christiansen, founder of Christiansen IT Law in Seattle, says. You need to have executive sponsorship willing to back you in the event that the use of honeypots results in controversy.
- Get HR buy-in. HR must be looped in to ensure that it will take appropriate action if you catch someone accessing records inappropriately, Christiansen says, adding that "legal counsel should vet the whole program to make sure legal risks are avoided."
- Conduct a risk assessment of your systems and equipment. Then create records for five media-centric personalities, making them as real as possible. Don't be too obvious. For instance, Madonna would probably not end up in a central Montana facility.
- Beware of entrapment. Honeypots are analogous to entrapment; they're bait that wouldn't work if someone wasn't predisposed to snooping, Christiansen says, because, as W.C. Fields said, "You can't cheat an honest man." Organizations should be certain that staff members know about policies that prohibit snooping and that system configuration prevents accidental access.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.