• E-mail
• Print
• RSS

Expert: Block access to snoopers, set firm policies

HIPAA Weekly Advisor, May 10, 2010

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Patient-record snooping is inevitable, but with the advent of electronic health records (EHRs), it took “a new twist,” says Kate Borten, CISSP, CISM, president of The Marblehead Group.

“The fact that e-records can be accessed from anywhere is both a blessing and a privacy and security curse,” Borten says.

Borten says facilities should consider not only blocking access to PHI for employees who don’t need it, but enacting strict policies and penalties.

“Today the standard approach -- after technically blocking access from those who don't need it, of course -- is to have a policy prohibiting snooping and sanctions for violations, workforce training that makes this crystal clear, and then follow-through with technical and manual auditing and disciplinary action,” says Borten.

Patient-record snooping grabbed headlines May 4 when Huping Zhou, 47, of Los Angeles, became the first person sentenced to prison for misdemeanor HIPAA offenses for only accessing confidential records without a valid reason or authorization, according to the U.S. Attorney's Office in the Central District of California.

United States Magistrate Judge Andrew J. Wistrich sentenced the former UCLA Healthcare System employee to four months in prison.

Zhou admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, according to the federal California attorney's office release.

“Snooping won't ever go away completely, just as there is no such thing as perfect security,” Borten says. “But I think the industry can and is doing a better job addressing this long-standing problem.”
 

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive