Avoid the 'dirty little secret' inside healthcare: Stop staff members from snooping

Curiosity. Malice. Efficiency. Rivalry. To be helpful. To be hurtful. Because they have a brief lapse of judgment. Because they have a plan to steal thousands of identities and sell them on the Internet. The reasons why staff members snoop in patient records are as varied as the employees themselves.

 

“I’ve sometimes called it the ‘dirty little secret’ inside healthcare because it has been a problem for a very long time,” says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.

 

So what can you do? Catching a snoop is like looking for a needle in a haystack. But you’d better try. The first step involves teaching staff members why viewing records they don’t need to see to perform their jobs is impermissible.

 

The privacy officers at each of Trinity Health’s hospitals use several methods to ensure constant staff awareness of the need to protect patient privacy, according to Camille Orso, CHP, corporate director of HIPAA compliance and privacy officer at Trinity Health.

 

These include training during orientation, attending departmental meetings, publishing reminders in a newsletter, and hosting annual privacy week events on the anniversary of the HIPAA privacy rule implementation date. Staff members and nonemployees also sign confidentiality agreements that clearly describe prohibited behaviors, including snooping.

 

Facilities that have audit trails should emphasize during training that they monitor access. Staff members might think twice before peeking if they remember you track the records they access.

 

“Most of us generally follow the rules if we know somebody is watching. If you’re zipping around doing 45 miles in a 35 m.p.h. speed zone and suddenly you see a police car, what do you do? You hit the brakes. You slow down. Suddenly, you’re in compliance because you know somebody is watching,” says Mary D. Brandt, MBA, RHIA, CHE, CHPS, president of Brandt & Associates, Inc., in Bellaire, TX. The same is true for staff members who consider accessing information they shouldn’t, she says. They may hesitate if they think you’re monitoring them.

 

It is also important to have written sanctions and that you make staff members aware of them during training, Borten says. “I hate to be heavy-handed,” she says. “But this is an area where you have to remind people of the consequences because you don’t have much else to work with here other than a threat.”

 

You must also take disciplinary action if it becomes necessary, and you must be consistent. “You can’t make an exception for the absolute best nurse on staff,” she says. “You have to be consistent and follow through.”

 

If an employee violates a policy at Trinity Health, the privacy officer and HR department handle any disciplinary action. They don’t publicize the action, but people still find out, Orso says. “They may not necessarily know the details, but that sort of information spreads around the organization.”