Subscribe by email
Health privacy violations are lethal. They can create reputation management nightmares and generate stiff fines. Even a single HIPAA violation has serious financial consequences. The minimum fine now stands at $50,000, with a maximum penalty per year of up to $1.5 million per each provision of the rules. Since many healthcare privacy breaches involve multiple violations, the cost of not protecting patient privacy can grow very quickly. We’ve even begun to see this demonstrated in the more recent HIPAA compliance enforcement actions. Care providers large and small are feeling the pressure. Even government agencies are not immune.
While headline-grabbing events like the HIPAA fine levied at the State of Alaska are being widely covered, there is another, hidden reality that is far more pervasive: Small-scale snooping is actually far more common than large scale theft or dramatic losses of equipment containing PHI. In fact, in the 2011 Survey of Patient Privacy Breaches*, about 70% of the survey respondents reported that they had experienced a HIPAA breach of some level—with the majority of those violations occurring as a result of snooping activity. Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives. More than half of the respondents stated that they lacked the appropriate tools for monitoring inappropriate access to PHI.
Organizations will continue to be held accountable for responding to audit and information requests. There are tools, like Attachmate Luminet, that support HIPAA compliance reporting requirements and Accounting of Disclosure requests are available today. These leading solutions exist to help stop misuse and curtail privacy violations by seeing, recording, and analyzing user activity across all applications. In this way, these solutions can help you address a wide variety of PHI access and policy scenarios. When examining technology of this kind, make sure it can help you answer the following questions:
• Is an employee logged in at multiple locations or accessing systems after hours while on vacation or absent from work?
• Is an employee accessing areas not appropriate for their job or function?
• Are physicians accessing records outside their specialty?
• Are employees accessing high profile or VIP accounts inappropriately?
• Are employees inappropriately accessing PHI within the institution?
• Are employees accessing accounts more than 30 days after the date of service? Has key account information—e.g., address or services rendered—changed?
When evaluating a solution provider, look for the ability to see beyond logs—to capture the query-only activity that happens when staff and care providers only want a “quick peek.” It may seem like harmless curiosity, but it represents a privacy violation that can land an institution into very hot water.
*The 2011 Survey of Patient Privacy Breaches was conducted by Veriphyr.
