Are you auditing your own employees? I know that I have written about this issue in the past, but it is something we all need to really be aware of and have a plan in place that we can carry out. None of us want to think about our own employees or our BAs as a concern for HIPAA. Unfortunately we do need to include auditing them in our security plan.
University Hospitals out of Cleveland had to notify 700 patients that they had a HIPAA breach when they caught one of their employees looking at confidential records. This employee was looking at both financial and medical records for over three and a half years before they were discovered. Not only were these patients’ medical records compromised but so were their social security and financial records. This was really a double concern for the patients. The facility found out after a complaint was made and they audited the EMR access of users for patients from January of 2011 through June of 2014.
I am sure that University Hospitals did not set out to allow their employees this kind of access. I am also sure that they evaluated their security and thought they were doing a good job. What they didn’t do was realize or correctly identify the data that their employees had access to and put a regular audit process in place.
Do you have role based access? In other words, does the role of an employee define what data they have access to? Have you defined the roles associated with each of your job descriptions and what access they need? This is a really good place to start understanding what access your users have. If you don’t have a process in place to audit your EMR and other places you store patient data, now is the time to sit down and determine how you can audit this data and then put the audit in place.
A study was released last year from HIMSS that said 80 percent of Healthcare IT security audits identified snooping to be a top threat in motivating breaches. The Department of Health and Human Services says that more than 41.4 million people have had their information compromised in a reportable HIPAA breach. Putting both role defined data access and an audit plan in place might help prevent you from contributing to those numbers.
No related posts.