Mitigating Unauthorized Disclosures of PHI by Employees or Former Employees
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to select congressional committees, as part of its annual obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act. In the Report to Congress on Breaches of Unsecured Protected Health Information, OCR noted that from 2015-2016, unauthorized access/disclosures were the most common cause of reported breaches affecting 500 or more individuals. In 2017, they were the second most frequent cause and only eight percentage points behind hacking/IT incidents. Additionally, for each of these years, unauthorized access/disclosures were the leading cause of reported breaches affecting less than 500 individuals. Although OCR has not yet reported 2018 numbers to Congress, a review of the OCR Breach Portal indicates that unauthorized access/disclosures remained the second most frequent cause of reported breaches, making up over a third (35%) of reported breaches affecting 500 or more individuals.
OCR also noted that hacking and IT incidents of electronic equipment or network servers were the most frequent cause of reported breaches in the last two years, emphasizing that such threats pose extremely serious HIPAA risks. However, while organizations may wish to devote many of their resources to addressing cybersecurity issues, they should not discount the threat of workforce and former workforce members improperly accessing PHI in their HIPAA breach risk assessments.
To address and mitigate the risk of workforce and former workforce members improperly accessing PHI, organizations should:
- Have standard policies and procedures in place for investigating and removing individuals who have accessed PHI in an unauthorized manner;
- Reinforce HIPAA concepts through workforce training and weekly or monthly reminders such as e-mail alerts or newsletters;
- Audit and monitor EHR activity to make sure no one is improperly accessing electronic PHI (ePHI);
- Have strong and consistently enforced termination procedures that include immediately cutting off access to PHI for any employee or Business Associate no longer working with the organization;
- Implement multiple levels of safeguards to decrease the ability of individuals to access PHI outside the scope of their job duties;
- Audit and monitor user accounts to ensure accounts that should be inactive are not still active;
- Make sure to track, collect, and account for any mobile devices the organization provided to workforce members;
- Prevent former employees from physically accessing the building or places that hold PHI;
- Institute purge procedures for employees’ personal devices that may have had access to ePHI;
- Require password changes every few months;
- Change any administrator passwords that the former workforce member may have used; and
- Have a strong sanction policy for those who improperly access PHI.
An organization must also be diligent about documenting any of its decisions regarding which safeguards it decides to implement or not implement. This step is critical, because even if an unauthorized disclosure of ePHI does not rise to the level of a breach under HIPAA, an organization can still be in violation of the HIPAA Security Rule for failing to conduct and document proper risk analysis and risk management procedures.
To learn how consultants at Strategic Management can evaluate or assist with your HIPAA Program, please contact Catie Heindel, JD, CHC, CHPC, CHPS ([email protected]) or Alexis Rose, JD ([email protected]).
