snoopingI can tell you from experience snooping is a serious problem that haunts all entities with health information to protect.  Even if you don’t know it is haunting you, it is.  You will learn to fear it eventually.  The extent of improper record access (which we will call snooping) goes well beyond what most people imagine.  The image of a healthcare professional keeping patient information confidential is something we all assume is happening.  In the real world, most workers know someone who has improperly accessed records if they haven’t done it themselves.


HIPAA For MSPs by David Sims Snooping Is A Serious Problem
00:00:00 00:00:00

In actuality, there are way more cases occurring every day than you can even count.  The problem continues to grow for various reasons.  Today we cover some examples of what is going on out there and some ways you can protect your own patients.

Recently, a case in Las Vegas brings up the issues that the Prescription Monitoring Program (PMP) databases have brought into our world.  Some states call them Prescription Drug Monitoring Programs (PDMP).  Two names for the same thing.  These systems were intended to help providers track and handle drug seekers and addicts who bounce from provider to provider.  The concept is that all controlled substance prescriptions are entered and accessible to providers so they can identify patients that need assistance via counseling or rehab.  The intended purpose is great but it has opened a can of worms for privacy officials all over the country.

States or groups of states run these PDMP/PMP sites.  Providers sign up so they can use the tool as intended.  In recent years, many issues have arisen that make it clear the idea is a good one but the implementation wasn’t well thought out.  No one seems to be taking responsibility for enforcing access limitations and privacy rights.  It is a state-run program that providers must sign up for on their own.  So hospitals and other provider groups say they can’t control access to it.  If they can’t control access to it then they have no way of being responsible for what is done with it.

In the Vegas case, a doctor accessed the PMP records of the mass murderer who attacked the concert last year.

Although Paddock was never Goldsmith’s patient, the weight-loss doctor in court documents “admits to directing his office staff to use his PMP account to query Paddock’s confidential patient information and to obtain patient utilization reports on October 2, 2017 and again on October 3, 2017,” the pharmacy board said in a May 1 filing against Goldsmith.

After Goldsmith’s account was used to access those records, the Las Vegas Review-Journal posted an exclusive story the evening of Oct. 3 that reported Paddock had been prescribed the anti-anxiety drug diazepam, known by its brand name, Valium. The report was picked up by media outlets worldwide.

The laws say you shouldn’t access them except for one of your patients to provide care.  Basically, you should follow the same rules with them as you do for other patient records under HIPAA.  However, no one takes responsibility for managing them.  HIPAA rules are being bypassed because this is a new system that hasn’t been addressed with specific HIPAA guidance yet.  I can assure you that it is needed.

Not only did the Vegas story include improper access to the PMP records by the doctor but he told his staff to access it for him.  That means they all know the login details to access the information also.  When you add in the number of staff members who can access the records you are beginning to see just how widespread the abuse of access can become.

BTW, the lawyer for the doctor says he is pleading the fifth.  Law enforcement is looking into this as well as the licensing board of Nevada.  Why hasn’t this been made a HIPAA issue?  Well, it isn’t clear how it fits under HIPAA just yet.  Hopefully, OCR will address this problem sooner rather than later.

In the interim, if you are dealing with one of these in your state, you better have a plan for addressing access to it.  It is just a matter of time before someone uses it inappropriately and you are stuck with figuring out what it all means.  Do it now and maybe you can prevent it altogether.  If not prevent it, at least be prepared when it happens.  Based on what I am seeing it will happen if it isn’t already happening in your environment.

People are using this access to get information for divorce and custody cases.  They are snooping like the case in Vegas which likely involved getting some cash for the knowledge.  They are using it for employee evaluations and much more.  No one is serious about the policing of these systems. Yet.

Another case in OKC echoes similar issues.  There are millions of cases but these should provide you with adequate insights.

In this case, we see what can happen when you suffer a tragedy and others take issue with the situation.  In Oklahoma (why are we now talking about OK in three straight episodes), the death of a toddler launched a run on the EHR records from the ER visit.

The complaint, filed by the child’s adoptive parents, Gerl and Denise Russell, alleges that unauthorized employees of McAlester Regional Health Center violated HIPAA, breaching their son Keon’s electronic health information on July 17, 2016, when the 2-year old was transported to the hospital’s emergency department where he died after a swimming pool accident.

The Russells allege that a hospital worker inappropriately accessed Keon’s electronic health records and notified the child’s birth mother – who had allegedly consented to terminate her rights upon his adoption by the Russells in July 2015 – of the child’s death.

As a result of the aforementioned breach/violation, plaintiffs were forced to deal with [Keon’s] biological mother during their time of grieving, specifically being subjected to extreme emotional distress during the funeral proceedings, as well as other incidents of emotional distress in dealing with the biological mother,” the suit alleges.

While that is bad enough.  During their review of access to the child’s records, it was also found that they were accessed by several cafeteria workers on the same day.  This part shows how wide spread snooping issues really can be.

Attorney Mark Edwards, who is representing the Russells in the lawsuit, alleges that McAlester’s cafeteria workers were able to inappropriately access the hospital’s EHR system through the credentials of one food service employee who was authorized to access patient information to check whether individuals had certain dietary restrictions or had diabetes and to confirm patient room numbers where meals were delivered.

A hospital food service employee who was authorized to access the EHR system was instructed to make those credentials – username and password – available to the other cafeteria workers by posting them on a sticky note on a computer, Edwards claims.

The problem with that is the person with approved access to the EHR looked at the child’s records several times that day.  BUT, that employee wasn’t even at work the whole day.

Edwards also alleges that prior to the incident involving the Russells, “the only HIPAA training hospital workers received was watching a two- to three-minute video on HIPAA once a year, along with other training videos.”

The annual, generic training raises its ugly head!

These are the anomalies they may seem to be, however.  Since these cases usually involve one or two patients at a time we don’t see them make the news that often.  Many times they are covered up or minimized by those in charge of protecting the privacy of their patients.  When you turn on some audit program like SPHER most groups are shocked to see just how bad the problem really is in their organization.  Large or small, information is power and you have access to the most valuable private information out there.

A few cases we know about like Farrah Fawcett’s and NY Med, but a quick search will net you so many more cases and these are the only ones that make the news.

MUSC terminates employees who ‘snoop’ in patients’ medical records

Employees Suspended for Alleged Record Snooping

Allina hospitals fire 32 over privacy violation

Hospitals’ biggest threat to patient data is hiding in plain sight

Carilion Clinic Fires or Disciplines 14 Workers for Inappropriate Access

HIPAA Breaches: Small-scale snooping is most common

These cases show us just the tip of the iceberg when it comes to these failures of privacy protections.  Often, we want to trust that people will always do the right thing, however that may not always be a good idea.  Having a privacy program that relies on conscientious staff members always doing the right thing may be a huge risk for your patients.  The impact these cases have had on the patients involved hasn’t been reported in detail.  I can assure you, though, that it can be very stressful at a minimum, if not worse.  Find a way to watch for this kind of violation closely and deal with it sternly when it does occur.