A Chicago hospital fired at least 50 employees for violating HIPAA by improperly accessing the medical records of actor Jussie Smollett, according to multiple news outlets.
The actor, known for his recent work on the television show “Empire,” was treated there following an incident in which he claimed to have been attacked by two men outside his apartment in January. The case was the subject of extensive media attention and controversy because he claimed the attack was a hate crime. However, two friends told police that Smollett had hired them to fake the attack. The district attorney declined to press charges, a decision which was widely criticized.
Firing employees after improper snooping can be appropriate after the fact, but the better solution would be to stop the intrusions in the first place, says Vish Davé, senior associate of Schellman & Company, a global independent security and privacy compliance assessor based in Tampa, FL.
There are different steps that hospitals can take to prevent unwanted snooping by employees. One common method is to implement quarterly training and provide knowledge accessible to employees, including disciplinary action, when policies are not followed, Davé says. Furthermore, technical safeguards can be implemented within the electronic medical record (EMR), including access controls and audit controls.
“Access controls can be implemented so that they limit the amount of information an employee can access based on their authority levels and role type within the organization. For example, an employee working front desk who only needs to enter demographics or update demographics for patients might not need to access the patient’s actual medical records and therefore will be assigned a role that prevents them from entering or accessing the medical records based on their role type,” Davé explains.
Another technical safeguard, audit controls, provide healthcare organizations the ability to monitor access and activity within the EMR, including user login, logout, what health records are accessed, changed, and any irregularities found. They also provide organizations with audit trails that give them the ability to investigate any improper access, Davé notes.
Still another option available, depending on the type of EMR, can provide healthcare organizations the ability to mark certain patients’ charts as confidential, Davé says. When an employee attempts to access the patient’s chart, the system prompts the employee to give a justified reason of why the employee is accessing that specific patient’s information and logs the reason into an audit trail.
“With the ever-changing technology environment, several other types of solutions are available within the market that work in similar fashions and detect improper access in near-real time based on the type of electronic healthcare record system to minimize employee snooping,” Davé says.
Some EMR software offers role-based limitations granular enough that they limit particular categories of employees to certain fields in the EMR, notes Kristen Rosati, JD, an attorney with the law firm of Coppersmith Brockelman in Phoenix.
“For example, billing clerks may not need access to the entire EMR to do their job. However, not all EMR software has good technical role-based capabilities,” Rosati says. “Even the best role-based limitations can’t determine in advance whether a particular employee with treatment access has a treatment relationship with a particular patient. It would have a very negative impact on patient care to require some type of prior association with the patient to allow access, because you have shift changes, doctors filling in for one another — many situations that would make that unworkable.”
Hospitals have to rely on good advance training and after-the-fact auditing to confirm that employee access is appropriate. That makes it nearly impossible to prevent all infractions, Rosati says.
“Hospitals have training modules that explicitly tell employees not to peek at records out of curiosity. They explain how the audit trails will catch them, but they do it anyway,” she says. “It comes down to people having shockingly bad judgment.”
That was true back in days of paper medical records, too, but it was more difficult to gain access, Rosati notes. If someone famous was undergoing treatment, a nosy employee had to go where the record was stored and physically gain access to it. That was more difficult, but people were successful in their snooping, Rosati says.
“The good news is that in the electronic environment you know who accessed the record. With paper, you didn’t,” she says. “This problem of people peeking at records isn’t new. It’s just that we know how much it’s happening now.”
In the 23 years since HIPAA became law, Rosati says the incidence of snooping in patient records has decreased. She attributes this decline to healthcare employers educating employees about the consequences. “The vast majority of employees are very careful to follow these policies because they know what can happen to them,” Rosati says. “There will always be some who can’t resist.”
Rosati notes that records snooping occurs with more than just celebrities. Access audits also should look for queries for patient records with the same last name as the employee, implying a familial relationship such as an employee seeking information to use against a spouse in a divorce proceeding. Audits also can look for unusual volume of access. If a billing employee typically accesses 50 records a day but then accesses 100 or 200, that could represent someone who is browsing records out of curiosity or to seek specific information for improper purposes.
Budgetary concerns can limit the security options for some healthcare organizations, notes Brian McPherson, JD, employment law and commercial litigation shareholder at Gunster in West Palm Beach, FL. Technology exists to limit employee access to records, but not everyone can afford it — especially if it means changing to a different EMR, he notes.
Another problem is that in many healthcare organizations, no one audits the logs showing who accessed patient files.
“HIPAA requires that hospitals and healthcare facilities have a medical record director who is charged with overseeing and auditing patient records. Records are kept of who accessed a record, when, and why,” McPherson says. “The problem is that nobody goes back to see what the logs are reporting. The information is there but nobody is paying attention to it because they’re so busy with everything else.”
One tactic is to flag the records of known celebrity patients or others involved in newsworthy events such as crimes and disasters so that the system sends an alert to the medical record director when someone accesses those records. Also, the auditor can make a point of periodically reviewing the records of those patients for any access that seems unsubstantiated, McPherson says. Oversight like that may be how the Chicago hospital discovered the unauthorized access of Smollett’s records.
Some hospitals also assign an alias to celebrity patients so that anyone looking for records under the patient’s real name will come up emptyhanded, McPherson notes. Audits may reveal the unsuccessful searches, which still could result in disciplinary action.
“My experience has been that hospitals are not really on top of this until there has been a problem,” McPherson says. “You have too many other things to spend time and money on. If your system seems to be working, nobody pays attention to this issue. But once they have a problem and it becomes public, then they’re on top of it and implement more controls to protect those records.”
On the other hand, some hospitals make a point of offering greater confidentiality for their patients, particularly facilities in communities with a higher percentage of celebrity patients. Sometimes, those hospitals market their enhanced record security to potential patients, McPherson notes.
The Smollett incident illustrates the limitations of simply telling employees not to look at celebrity files, says Bill Joll, head of worldwide sales for BlackRidge Technology, a technology security company based in Reno, NV.
“This case is consistent with other common HIPAA violations, where individuals either purposely or inadvertently access unauthorized medical records. It doesn’t matter which, as the records are already compromised,” Joll says. “Many healthcare organizations lack the proper security and risk management solutions to prevent this. This is even more true within the broader med-tech solution and service provider ecosystem.”
Joll notes that when HIPAA was put in place, organizations scrambled to implement policies and procedures to comply. They often took a simplistic approach to limiting access to patient records, he says.
“We’ve discovered over the years that many of the policies and procedures implemented stuck to the ‘don’t do this’ or ‘don’t do that’ level. Organizations generally put enough in place to pass HIPAA audits, but compliance with a particular statute does not equal security,” Joll says. Many healthcare organizations correlate risk management to compliance. However, compliance audits are only a “point in time” snapshot of some auditor’s perception of whether policies are in place and followed, Joll says. Audits do not give any visibility as to what is happening or enforced at every point in between, he says.
While security leaders in the healthcare industry are increasingly embracing a mix of security products to protect the organization, the technologies they deploy often are focused on post-breach detection, Joll says. “Compounding this problem, many hospitals lack the necessary resources to proactively review and monitor much of these solutions. Even if a detection product is in place, an attack or breach often goes unnoticed,” he says. “This leaves many organizations in the position of having only policies and procedures in place to deal with [protected health information] and relying on adequate training of employees who are incentivized to focus on patient care rather than cybersecurity. Healthcare organizations must ensure that only authorized access of patient records is allowed by enforcing core internal security and access policies at all times, not just at the point of audit.”