Employee Voyeurism Leads to a HIPAA Data Breach

Employees access PHI for various illegitimate reasons. Including error and misuse, 71% of all cyber incidents in healthcare have an insider source¹— the only industry that has more internal sources than external. Although the following case study involves only one patient, the covered entity was required to complete a data breach analysis and notify the patient and HHS.

HIPAA Breach Analysis Flowchart

The following flowchart outlines how a privacy or security incident is analyzed to determine whether a HIPAA breach has occurred. It forms the basis of the analysis in the case presented here.

In addition to federal HIPAA regulations, covered entities may also have to comply with state data breach laws. State laws vary on what triggers a breach notification obligation and the nature of breach notification obligations. This case study focuses on federal data breach notification laws. The Health Information & the Law website has an interactive map that provides links to state health data security and breach notification laws.

Case File

A receptionist at an obstetrics and gynecology group accessed the records of her ex-husband’s new girlfriend, who was a patient. The receptionist discovered in the records that the patient had a record of treatment for sexually transmitted diseases (STDs). The receptionist downloaded portions of the patient’s record detailing the STD treatment and later anonymously emailed the records to her ex-husband. The ex-husband confronted the patient, who reported the privacy violation to the group. The group’s IT department was able to identify the receptionist as the culprit, and she was fired.

HIPAA Breach Analysis

Q. Was PHI involved?

A. Yes.

Q. Was the information on the compromised device encrypted, unusable, unreadable, or indecipherable?

A. No.

Q. Does one of the three HIPAA disclosure exceptions apply?

A. No.

Q. Is there a low probability that PHI has been compromised? (Risk Assessment)

A. The compromise of PHI was established, and because none of the exceptions applied the attorneys who reviewed this case determined a breach had occurred and notification of the affected patient and the HHS was necessary. The patient had to be informed no later than 60 days after the breach was discovered (although she already knew all about it). Because the breach involved fewer than 500 patients, the group was required to report it to HHS not later than 60 days after the end of the year.

Medical Liability Risk Management Recommendations

Comprehensive and effective staff/clinician policies are the backbone of an effective security strategy. However, the best policies can’t be successful if employees aren’t aware of them or do not follow them. Therefore, covered entities need to train all clinicians and staff on PHI security and breach policies and protocols and consistently enforce violations. Consider the following recommendations:^2,3

• Provide clinician and staff training initially and then annually on PHI security.
• Ensure that clinicians and staff understand PHI security policies and protocols.
• Ensure that clinicians and staff understand their responsibilities and roles in protecting PHI security, the various sensitivity levels of information and how PHI should be accessed, stored and transmitted.
• Require staff to sign confidentiality agreements.
• Enforce PHI security policies consistently among clinicians, staff and administrators. (HIPAA requires all covered entities to have sanction policies and procedures in place and to take actions against workforce members who do not comply with them.)
• Inform individuals working with PHI that accessing PHI for reasons not related to their job functions is a violation of state and federal privacy law.
  • Consider using a pop-up box warning users they are accessing PHI and all accesses are being audited (if true).
• Limit clinician and staff access to the data they need to perform their job functions (e.g., there was no reason for the receptionist in this case study to have access to patient progress notes).
• Ensure that clinicians and staff are prepared to appropriately respond to a suspected data breach.
• Constantly audit systems to discover improper access.
• Monitor for and resolve inappropriate user ID and password sharing.

More Information About Preventing HIPAA Data Breaches

• Article: Preventing HIPAA Data Breaches: Case Studies and Best Practices
• Best Practices: Mobile Device Policies for Preventing HIPAA Data Breaches
• Best Practices: Best Practices for Preventing HIPAA Data Breaches by Criminal Hackers
• Case Study Comparison: HIPAA Data Breaches and PHI on Stolen Laptops
• Closed Claim Case Study: Misdelivered Email Results in a HIPAA Data Breach
• Closed Claim Case Study: Unsecured PHI on a Lost Flash Drive Results in a HIPAA Data Breach

Additional Resources for Policyholders

Guidance and additional information on the HIPAA Security Rule and on medical records security, access and release are available to all NORCAL policyholders by contacting a NORCAL Risk Management Specialist at 855.882.3412.

Information and Network Security Coverage

Call NORCAL Customer Service at 844.4NORCAL or visit our Information and Network Security coverage page for more information about this coverage available at no additional cost as part of the Health Care Professional (HCP) policy.

References

1. Verizon Enterprise. “2018 Data Breach Investigations Report.” (accessed 5/9/2018)

2. Paez M, Curley K. Employee-caused data breaches. Wells Fargo White Paper. (resource not available online)

3. Raths D. “How employee snooping results in HIPAA trouble.” Behavioral Healthcare Magazine. December 5, 2014. (accessed 5/14/2018)

Additional Linked Source

Health Info & the Law Project. “States.” (accessed 5/14/2018)