Unauthorized access to patients’ protected health information (PHI) is illegal — so why do healthcare professionals keep doing it? How do you get them to stop?A recent JAMA Network study on PHI breaches provides insights into employee behavior regarding privacy data, and how that behavior can be corrected.
Unauthorized PHI access remains a constant threat to the healthcare industry — a breach of patient trust that leads to lawsuits, fines, and the kind of publicity that organizations do not want.1 With approximately one quarter of PHI breaches caused by internal employee snooping,2 a study was conducted to understand the effectiveness that email warnings would have on reducing repeated violations.
A total of 444 employees (all professional medical staff) were flagged by an academic medical center’s patient privacy monitoring software for unauthorized access of PHI. Of those employees, 219 (49%) were randomly selected to receive an email warning on the night of their access, while the remaining 225 employees (51%) did not. The email stated that the employee had been identified as having accessed a patient’s electronic medical record without a known work-related purpose and that unauthorized access is a privacy violation. All unauthorized accesses were later verified as valid PHI breaches (neither work-related nor patient-authorized).
Only four of the 219 employees (2%) in the group that received an email committed unauthorized access a second time, while 90 of the 225 employees (40%) in the group that did not receive an email committed a second violation. These findings represent a 95% effectiveness of email warnings in reducing repeat offenses. What’s more, the group that did not receive an email continued to repeatedly access unauthorized records, resulting in a total of 326 violations. One result we found interesting was that out of those 326 repeat violations, 88 (27%) occurred within the first 10 days of the initial offense.
When left unchecked, hospital employees will repeatedly commit unauthorized access to PHI, creating substantial financial, reputational, and clinical risks for the patient and the organization.3 However, simple email warnings within the first 24 hours can substantially reduce repeated unauthorized access, helping protect both patients and healthcare entities. Although most patient privacy and human resources teams already include email notifications in their patient privacy strategy, it can often take days for even the most efficient teams to manually contact each employee suspected of a violation. With 27% of repeated violations occurring within the first 10 days, we believe an automatic, instant response is the ideal way to help employees understand that their actions may be improper, and in many cases, can seamlessly prevent further instances.
Our Advanced Virtual Assistant (AVA), along with our patient privacy monitoring software Haystack™ iS can uncover a potential violation, automatically email the employee, and escalate the incident to the appropriate privacy team shortly after receiving the audit data. These automatic notifications not only provide employees with the opportunity to understand how their actions violate privacy policies and stop the behavior, they also allow privacy teams to use their time more effectively by not having to reach out manually.
To learn more about how our AVA automation tool can streamline your patient privacy team’s investigations and reduce repeated unauthorized access by up to 95%, contact us at firstname.lastname@example.org.
1: HIPAA Journal. March 2022 Healthcare Data Breach Report https://www.hipaajournal.com/march-2022-healthcare-data-breach-report/#:~:text=In%20March%202022%2C%2043%20healthcare,57.75%20data%20breaches%20a%20month.
2: Jiang JX, Bai G. Evaluation of causes of protected health information breaches. JAMA Intern Med. 2019;179(2):265-267. doi: https://jamanetwork.com/journals/jamainternalmedicine/fullarticle/2715158
3: Jiang JX, Bai G. Types of information compromised in breaches of protected health information. Ann Intern Med. 2020;172(2):159-160. doi: