Despite decades of investment in privacy programs, unauthorized access to patient records remains a persistent and costly challenge for healthcare organizations.
Patient privacy breaches cost an average of $9.8 million per incident and include snooping on friends, coworkers and family members and looking into the charts of celebrities.
Clearly, the stakes are high, yet current efforts to discourage, detect, and address violations still leave room for improvement.
Here are 10 ways to strengthen patient privacy protections in your organization, enabling you to identify potential inappropriate accesses and strengthen your privacy operations.
- Formalize Investigation Protocol
Develop and document standard workflows for investigations, including escalation paths for defined case categories and “look-back” periods to determine if there’s a pattern of inappropriate access
- Prioritize Education and Training
Carefully review patient privacy guidelines with employees as they onboard and at regular intervals afterward. Clearly communicate the importance of privacy and the consequences of unauthorized access to records. Use investigations and enforcement as further opportunities for workforce awareness – call it “education by enforcement.”
- Automate Reporting and Monitoring
As data volumes, staff activity, and patient visits increase across the board in healthcare, the average hospital generates 60 million auditable record-related events per month, but audits only 1,000 of them manually. Use audit logs and monitoring tools, which can be integrated with EHRs, to review all accesses to patient records and to identify any suspicious accesses. Incorporate machine learning to detect unusual behavior and compile suspicion scores. Automation can enhance the detection of potential suspicious accesses and reduce the routine review workload.
- Enforce Accountability
“I didn’t do it,” insists an employee caught improperly accessing records. Now what? One way to counter that claim is to hold employees accountable for all actions conducted under their User IDs. Ensure that your IT Device User Policy incorporates language that holds employees accountable for all accesses. Use audit trails, screenshots, and security camera footage, if necessary, to further verify who accessed patient information and when.
- Maintain Documentation and Transparency
Create and maintain detailed records of all investigations, interviews, and outcomes. Be transparent with employees and patients about investigatory processes and any breach notifications. Investigations serve as reminders to everyone to keep protected health information secure.
- Collaborate with HR
Some organizations include HR personnel in their investigative interviews. Others do not. Whichever process you select, ensure that you collaborate closely with HR leaders throughout the investigative and enforcement process. They are essential partners in the process of imposing corrective actions.
- Prep Fully for Interviews
Gather as much evidence as possible about the potential inappropriate access before conducting the investigative interview with the suspected employee. Consider an interview template that starts with warmup questions about the user’s role and regular EHR use. Develop a rapport and ask the subject to “help you understand.” Maintain a respectful fact-finding demeanor in the conversation, but firmly challenge inconsistent statements with documented evidence. In most cases, it shouldn’t resemble an interrogation.
- Investigate Broadly
Be expansive in your investigation. Collaborate with IT and informatics teams to interpret audit data and replicate the user actions to establish certainty about what occurred, as needed. There are times when IT teams can also demonstrate a subject’s interest in particular conditions by analyzing ICD-10 codes. With the integration of HR data into monitoring software, this can help reveal connections between coworkers, past and present. Closed-circuit cameras can supply conclusive evidence of an inappropriate access, especially when the culprit denies all involvement. Social media, news articles, obituaries, and court dockets can reveal other connections between employee and patient that validate suspicions with circumstantial evidence.
- Standardize sanctions
Treat all employees the same regardless of rank, though the severity and scope of particular breaches will vary.
- Adapt to Emerging Risks
Stay informed about emerging privacy challenges, such as the use of AI, new solutions, and new vendors, and adapt your policies and training accordingly.
Investigations into privacy breaches – whether through internal misuse, such as inappropriate access or through external threat actors – help ensure compliance, protect sensitive data, and maintain patient trust. These breaches can lead to serious legal, financial, and reputational consequences. Safeguarding privacy not only fulfills legal obligations, but also strengthens the patient-provider relationship.
About Heather Arthur
Heather Arthur is the Director of Privacy Strategy at Bluesight, a company that solves supply chain inefficiencies and reduces risk by using AI and machine learning to surface actionable analytics for every step of the medication lifecycle.
