Employees and HIPAA ‘Snooping’

Many articles listing the Top HIPAA threats pretty much follow a similar theme:  Protect devices against theft, protect data against cybercriminals, and protect yourself against unauthorized third party disclosures by signing a Business Associate Agreement. Unfortunately these articles are way off the mark.

These recommendations should be followed, but they fail to address the top HIPAA threat – practice employees...

According to the recently published IBM X-Force Threat Intelligence Report, 71% of recorded data breaches in the healthcare industry are attributable to employee actions. Employees responsible for data breaches are divided into two categories – “malicious Insiders” (25%) and “inadvertent actors” (46%).

Although IBM´s Report focuses on the number of breaches – rather than the number of records breached – the percentage of data breaches attributed to malicious insiders appears high. However, it is not the case that a quarter of the medical profession is stealing Protected Health Information for personal gain. A closer inspection of the data reveals the “malicious insiders” category includes employees snooping on the medical records of friends, colleagues and celebrity patients.

Since this sort of ‘snooping’ constitutes an unauthorized disclosure of PHI, it is a violation of HIPAA and therefore – by the number of violations alone – is one of the top HIPAA threats.  Snooping is certainly a threat that State authorities and the Office for Civil Rights would expect a Covered Entity to address in a HIPAA risk assessment.

Adapted from HIPAA Journal, January 15, 2018