Patient-record snooping is inevitable, but with the advent of electronic health records (EHRs), it took "a new twist," says Kate Borten, CISSP, CISM, president of The Marblehead Group.
"The fact that e-records can be accessed from anywhere is both a blessing and a privacy and security curse," Borten says.
Borten says facilities should consider not only blocking access to PHI for employees who don't need it, but also to have strict policies and penalties in place for those who snoop at patient records.
Says Borten: "Today the standard approach–after technically blocking access from those who don't need it, of course—is to have a policy prohibiting snooping and sanctions for violations, workforce training that makes this crystal clear, and then follow-through with technical and manual auditing and disciplinary action."
Patient-record snooping grabbed headlines Tuesday, May 4, when Huping Zhou, 47, of Los Angeles became the first person sentenced to prison for misdemeanor HIPAA offenses for accessing confidential records without a valid reason or authorization, according to the U.S. Attorney's Office in the Central District of California.
United States Magistrate Judge Andrew J. Wistrich sentenced Zhou, a former UCLA Healthcare System employee who admitted snooping at patients' records, to four months in prison.
Zhou admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, the federal California attorney's office said in a release.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog, says Zhou's sentence and another six months ago serve as "object lessons" for the industry.
A federal judge on October 26, 2009, sentenced a doctor and two former hospital employees to a year's probation; they admitted to snooping at the records of Little Rock, AK, TV reporter Anne Pressly, who was murdered. Pressly was found severely beaten in her Little Rock home on October 20, 2008, and died five days later.
"I think the Pressly case, followed by [Zhou], are definitely intended to be 'object lessons' to make an example and scare others," Drummond says. "I agree with that strategy."
Last October, U.S. Attorney Jane Duke said in a statement she hoped the Little Rock snooping sentencings "send the message that the HIPAA protections apply to every person in the community, regardless of their position or stature. Likewise, the penalties for violating HIPAA apply equally to every person with access to protected health information."
Drummond says organizations need to sniff out snooping themselves, and fire people to scare the rest of the staff. He suggested to even "perp walk" violators off the premises.
"I'd even recommend 'honey pots' to basically trap snoopers," Drummond says. "Make sure they are trained, but if they snoop, fire 'em. Even if it's entrapment."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.