AVOID OCR INVESTIGATIONS: STOP SNOOPING IN ITS TRACKS

On June 15, 2023, the Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced that a Washington hospital would pay $240,000 as part of a settlement for HIPAA violations concerning medical record “snooping.” In May 2018, Yakima Valley Memorial Hospital submitted a breach notification to OCR, triggering an investigation. The hospital reported that 23 security guards had used their hospital credentials to log in and access patient medical records without a job-related purpose. In addition to the payment, the hospital agreed to a two-year monitoring plan and multiple updates to its HIPAA Privacy and Security procedures and policies. 

Although most HIPAA settlements that make the news tend to concern large-scale data breaches, studies suggest that employee snooping is the largest single cause of exposure of patient health information. Small-scale unauthorized access of patient records constitutes a HIPAA privacy violation, but such violations can be harder to detect and prevent. To discourage snooping and keep your privacy practices in shape, providers should take steps to implement protective measures and communicate with employees: 

1. Review relevant policies: Healthcare providers should ensure that policies regarding accessing PHI are fully up-to-date and accessible for all employees with access to medical records. 

2. Monitor access logs for abnormalities: Although violations may be hard to detect, keeping a close eye on access logs for abnormal patterns may help curb improper access. 

3. Communicate policies, expectations, and consequences to all employees: Without the right training and communication, employees may not even be aware that accessing records without authorization is a HIPAA violation that can lead to huge penalties. Healthcare providers should ensure that existing policies regarding PHI access and consequences for improper access are communicated to each employee through training and reminders.