Issue link: https://beckershealthcare.uberflip.com/i/1161749
51 CIO / HEALTH IT EHR snooping: Best efforts to bust, punish and prevent it By Jackie Drees W hether it's the result of sheer curiosity or motivated by an act of malice, EHR snooping is a serious employee offense that can occur at any hospital. e Medical University of South Carolina in Charleston fired 13 em- ployees in 2017 for viewing patient records without authorization. Earlier this year, Chicago-based Northwestern Memorial Hospi- tal terminated approximately 50 staff members who inappropriate- ly accessed actor Jussie Smollett's medical records. One employee told NBC Chicago she was fired on the spot. "Simply put, it was morbid curiosity," the former employee said of viewing Mr. Smollett's health information. "I went into the charting system and started to search his name. I clicked just once. I never clicked into his chart." Curiosity can also tempt employees to look at health records of patients they know personally, from family members to cowork- ers. Between 2016 and 2017, HHS reported that 1,309 records were inappropriately accessed by a single employee at a healthcare or- ganization. In March, a patient at Winfield, Ill.-based Northwestern Medicine Re- gional Medical Group sued the health system and a former employee for allegedly accessing her health records and posting them on social media. e lawsuit claimed the former employee viewed the patient's medical records before sending them to her ex-boyfriend, who posted the information on Twitter. "In some instances, an employee believes they are helping a friend or loved one by looking at their chart and then providing guidance as to which provider to seek care from or how to assist with scheduling an appointment," Penn Medicine CIO Michael Restuccia said. "In other situations, an employee is simply curious regarding a friend or loved one's health, reason for an appointment or perhaps changes in behav- ior. Regardless of the reason, without written consent, both situations represent inappropriate employee behavior." While some employees have faced termination for EHR snooping, others may even experience legal ramifications. In June, a former Pittsburgh-based UPMC care coordinator was sentenced to one year in federal prison for illegally accessing and disclosing 111 patients' medical records. Aer getting fired from UPMC in June 2017, Lisa Kalina, 62, then went onto work for Allegheny Health Network in Pittsburgh, where she inappropriately disclosed patient health infor- mation yet again. In addition to her prison sentence, Ms. Kalina faces three years of probation. HHS' HIPAA privacy and security rules require hospitals and health systems to implement sanctions against staff members who violate privacy and security policies, such as EHR snooping. However, the of- fice leaves the responsibility of determining appropriate punishment up to the healthcare organizations, an OCR spokesperson said in an emailed statement to Becker's Hospital Review. How to bust it While EHR snooping may not be completely preventable, there are controls hospitals can implement to better monitor employees who access the EHR, such as audit logs. Enabling audit logs within the EHR can gives hospitals the ability to analyze user activity, including log-on attempts and record editing. "Once enabled and configured, [hospitals] should implement pro- cesses to review user activity to identify potential unauthorized ac- cess or misuse of health information," according to OCR. "Regular reviews of audit logs can assist in identifying suspicious activity as it is occurring as well as provide a record to reconstruct events that happened in the past." Additionally, under the HIPAA Security Rule, covered entities, such as hospitals and health systems, are required to add role- based access controls that can restrict EHR access to individuals based off their specific job position, such as a physician, schedul- er or biller, according to OCR. Hospitals may even consider im- plementing abilities to lock or prevent access to patient medical records that could be at a higher risk for unauthorized viewing, such as celebrities or employees who are also patients, without ad- ditional authorization. How hospitals are preventing it NewYork-Presbyterian Hospital partnered with Splunk, an informa- tion security company, to develop a patient privacy platform that uses correlation and machine learning technology to identify potential in- stances of EHR snooping. "is includes employees who browse coworker records, view exces- sive numbers of records or those of a high-profile patient," said Jen- nings Aske, senior vice president and CISO at the New York City- based health system. "NYP has also implemented advanced security soware to protect high-risk IT accounts from being hacked and used by cyber criminals or insider threats." At Philadelphia-based Penn Medicine, employees receive ongoing ed- ucation from initial orientation to annual mandatory data privacy and security-training sessions to best differentiate between appropriate and inappropriate access to patient data. Additionally, the health system implemented an electronic surveil- lance tool that can identify any suspicious access of patient health records. e tool generates a detailed report of patient data accessed, which Penn Medicine's Data Privacy Compliance team reviews during an investigation of the suspicious behavior. "In many instances, the investigation reveals that the employee had a valid reason for accessing the records, [for example, a] consult or new member to care team," Mr. Restuccia said. "Unfortunately in other scenarios, the investigation reveals inappropriate access and action [is taken] ranging from a warning to employee termination." Beaumont Health in Southfield, Mich., also uses a machine-learn- ing tool within the EHR that can monitor each access a workforce member makes in the system, according to Kelly Partin, Beau- mont Health senior director of compliance. After performing a review of the staff member's job position and work location, among other factors, the tool can flag suspicious access for fur- ther investigation. n