Case Study: Catching Health Data SnoopsHow One Hospital Prevents Medical Records Breaches
What do former U.S. Rep. Gabrielle Giffords and Britney Spears have in common? Each had their privacy violated by hospital workers who were caught snooping at their medical records.
See Also: HIPAA Audits: A Revised Game Plan
Unfortunately, HIPAA violations such as those are too common, as technology gives hospital workers to much access to see - and share - medical records outside their authorization.
But at St. Dominic-Jackson Memorial Hospital in Mississippi, a proactive breach prevention strategy has dramatically reduced privacy violations involving nosy healthcare workers.
The key to St. Dominic's breach prevention strategy: a combination of technology, employee training and a dose of fear, says Dena Boggan, HIPAA privacy/security officer at the 571-bed, Jackson, Miss.-based hospital.
Privacy breach auditing software provides Boggan with alerts and daily reports to incidents involving inappropriate data access. When those incidents are revealed, Boggan jumps into action.
Since 2008, when St Dominic's first rolled out this new system, the number of inappropriate access incidents has plummeted from about 50 in the first month of monitoring to "maybe one to two incidents every two months or so," Boggan says.
The breach prevention activities also have resulted in fewer repeat offenders and few serious breaches. "In six years, we've had to let three people go" because of incidents, she says.
How it Works
The software, from Fairwarning, allows Boggan to audit user activity simultaneously across all audit sources, or systems containing electronic protected health information, she says. "Automated reporting alerts you to potential inappropriate activity within hours of occurrence, versus days, weeks, or months after occurrence," she says. "This is vital for detecting possible breaches quickly, so subsequent investigations can be launched in a timelier manner."
When a breach is detected, the suspected employee's supervisor is notified, and an investigation launched. Sometimes a suspected breach isn't really a violation - the employee might have been a hospital worker who was actually asked by a supervisor to float between patient units during a shift. This can sometimes be cleared up early on, she says.
When an inappropriate access incident is discovered, the suspected employee is brought into a meeting with Boggan, the employee's manager and the human resources director. The individual is confronted with evidence of the incident and then asked to explain their motivation for snooping. Not surprisingly, the confrontations can be a bit uncomfortable.
Most of the time, the motivation for the snooping is curiosity or concern about a coworker, family member or neighbor, she says. However, occasionally, the motivation is more malicious, such as spying on soon-to-be-ex-spouse in a nasty divorce.
If the incident was not malicious, the employee is levied sanctions that range in three tiers, starting with a verbal citation with coaching about this behavior not reoccurring. Tier two is a written citation; a third tier is a final warning. Four times, you're out. And if the breach is a HIPAA violation that the hospital needs to report to the Department of Health and Human Services, the incident remains in the worker's permanent record.
Boggan rejects the idea of a zero-tolerance policy leading to immediate firing for inappropriately accessing patient records without authorization, unless the incident was egregious. "People are inherently good, and my personal feeling is if you talk to an individual, they'll change," she says. "Of everyone I've ever counseled on this, I've never had a second infraction."
Nevertheless, firings for breaches can be put on fast-forward, skipping sanction levels, especially in malicious incidents or if an employee snoops on a politician or other public person. "If it's a VIP like the governor, you go straight to final warning," Boggan says.
By now, full-time employees, especially those who have worked at St. Dominic's for awhile should know the rules, Boggan says. Incidents now usually involve new hires or part-time people who work weekends.
And breaches are much more detectible. Prior to rolling out the breach prevention system, looking for incidents of inappropriate access through audit logs was "a needle in the haystack," Boggan says. The process took eight weeks to randomly audit 10 charts. Now, "I'm able to audit across the board every single record on our systems daily."
Other data security initiatives under way include efforts to encrypt mobile devices and beefing up training of St. Dominic's users.
"We've undergone a training initiative to educate those who have portable devices on the proper steps to take to secure those devices, and what to do in case these are lost or stolen," Boggan says. "We also encourage users to save files containing protected health information to network drives, not hard drives on their computers, and we are also in the process of transitioning to a thin-client product that does not contain a personal hard drive, thereby giving the user no option to save to a personal hard drive," she says.
Also, some other devices, such as thumb drives and CD burners, are not usable on St. Dominic's systems, which helps limit downloading or uploading information.
In addition, the hospital is developing a strategy for how to handle mobile devices owned by staff. "We have formed a task force to tackle the challenge presented by BYOD to determine the best approach to incorporate this effectively into what we currently have in place," she says.
In the meantime, St. Dominic's is rolling out an app to iPhones and other mobile devices that encrypts data, including texts, that are sent to or from St. Dominic's servers, Boggan says.
The aim is to protect data in a way that's also user friendly as well, she says. "That's our big push for 2013," she says.
To date, St. Dominic's has been fortunate in protecting against serious breaches, she says. The hospital has not had incidents involving its firewall being penetrated, or breaches that involved information being taken outside the organization or identity fraud.
"Most of it is dumb human stuff," she says. Still, Boggan and the team at St. Dominic's stay vigilant. "With breaches, it's not a matter of if, it's when," she says. "I tell our CEO we have to be ready; we have to be proactive."