Latest Worker Prying Cases Underscore Requirement for Access Constraints and Warnings

Malware, ransomware, as well as unaddressed software weaknesses, threaten the availability, integrity, and confidentiality of PHI. Healthcare companies must take measures to cope with the danger from within. The current year has seen several instances of workers prying and accessing medical files without approval.

The HIPAA Safety Law 45 CFR §164.312(b) needs protected units to “Apply software, hardware, and/or technical methods that record and check action in information systems that have or use electronic protected health information,” although 45 CFR §164.308(a)(1)(ii)(D) needs protected units to “Apply processes to regularly check files of information system activity, like access reports, audit logs,  and security case trailing reports.”

Logs generate an audit track that can be tracked in the case of a data breach or a secrecy case. Those records can be checked to find out which files have been accessed without approval.

If those records are checked constantly, secrecy breaches can be recognized swiftly and action is taken to restrict the damage. Nevertheless, current cases have demonstrated that although access records are kept, they aren’t being frequently checked. There have been many current instances of workers who have wrongly accessed patients’ medical files over a period of many years.

Some days ago, Beacon Health declared a worker had been found to have wrongly accessed the medical files of 1,200 patients without any genuine work purpose for doing so. That worker had been snooping on medical files for 3 years.

In March, Chadron Community Hospital and Health Services found a worker had accessed the medical files of 700 patients over a period of 5 years and St. Charles Health System found a worker had accessed medical files without approval over a 27 month period.

Similarly, in March, Trios Health found a worker had wrongly accessed the medical files of 570 patients. The wrong access happened over a duration of 41 months.

Rapid discovery of internal secrecy breaches is vital. Even when prying is detected relatively swiftly, the secrecy of several thousands of patients might have already been breached. In January, Covenant HealthCare alerted 6,197 patients of a secrecy breach after a worker was found to have wrongly accessed medical files over a duration of 9 months, whereas a Berkeley Medical Center worker accessed the ePHI of 7,400 patients over a duration of 10 months.

Healthcare companies might not believe it’s proper to limit access to patients’ PHI, however, a system can be applied that will warn staff to wrong access quickly. Software resolutions can be utilized to discover wrong access and warn proper members of the workforce in near real-time. If these types of systems are not applied, regular checks of ePHI access records must be carried out. Routine inspections of ePHI access records will let companies avoid major breaches, decrease legal burden and decrease the damage caused by rogue workers.