Recently the JAMA Network Open monthly medical journal published the research on the unallowed ePHI accession. The results showed, that the immediate alert sent to employees’ emails after their unauthorized access to patient’s electronic records prevented them from repeated snooping. Only a few workers did the same unallowed action again.
Why is This Research on the Unallowed ePHI Accession Important?
According to the U.S. Department of Health and Human Services (HHS), more than 90% of the violations concerned the unallowed ePHI accession from the side of in-house workers. So, figures show that such data violations are very widespread and happen at an all-time high.
Although the media often highlight cases concerning the snooping on the dignitaries’ records, such incidents are rare. But the situations when an employee snoop on the records of the patient’s family, friends, relatives, etc. are far more common. These violations also harm directly the patient.
Briefly About the Study
The research took place at the academic center for medical study. The scientists from Michigan State University, John Hopkins, and Nick Culbertson conducted it. Nich Culbertson is also famous for being CEO and one of the founders of Protenus. It is the platform that provides services of the healthcare compliance analytics, the HIPAA compliance in particular.
So, the study started from the very beginning of 2018 and ended up at the end of July of the same year. Almost 450 workers in the medical field took part in this research. They had to access the electronic records of patients they didn’t treat. Scientists picked 49% (219 employees) of participants to send them alerts on the night of the research. Other 51% (225 employees) formed a check group and didn’t receive any notifications on their email.
In the electronic letter, there was an explanation that a worker, who received it, was detected getting access to the patient’s electronic records without aim relating to the professional obligations.
The Results of the Research Concerning the Unallowed ePHI Accession
Only 4 workers (2% of the total number of participants in this group) from the group that gained accession to the medical records without authorization received the alert again 20-70 days after the first violation. 90 employees from the check group, which is about 40% of the number of people in this group, committed the unallowed ePHI accession again. They received the alert in the same period of time as the first group.
In general, this study has shown the 95% efficiency of email alerts for reducing further violations. Of course, the research had its limits. And most importantly results can’t apply to all medical organizations. But it shows that immediate interference is a very efficient way to avoid future violations of the patients’ confidentiality. And if not to undertake measures, workers probably will go on accessing private information and violating HIPAA Rules. Moreover, after the research, the participants highlighted the importance of reliable PHI security.
The Example of Such Violation
At the end of the previous year, Huntington Hospital’s employee was accused of the HIPAA violation because of the unallowed ePHI accession as well as unauthorized access to electronic records. The hospital found out, that the night-shift worker accessed the electronic medical records in an unacceptable way and without any permission. This employee also had to inform about 13K of suffered individuals about the data breach.
The case emphasized the importance of maintaining cybersecurity education for employees and severe safety monitoring. The permanently shifting PHI situation demands constant risk analysis management. Simple email alerts together with the monitoring system of access to PHI can reduce the risk of unallowed ePHI and medical records accession repeating. And it will bring a lot of value to patients and healthcare organizations.
Check out our news to always be briefed about the latest events in the HIPAA and cybersecurity sphere!
