Ebola: Preventing Records 'Snooping'First Cases Shine a Light on Challenges
Taking steps against inappropriate "snooping" of patient records is an ongoing challenge for hospitals in their HIPAA compliance efforts. But with the intensifying attention on Ebola cases, hospitals need to up their game in protecting patient privacy.
Ebola was in the headlines again last week when 100 people unknowingly came into contact with a patient before he was diagnosed with the disease at a Texas hospital. Now, healthcare organizations across the country are faced with preparing how to respond to possible Ebola cases they could encounter, including how to protect the privacy of those patients' records.
Nebraska Medical Center has already faced that challenge. The Omaha-based hospital in late September fired two workers for inappropriately accessing the medical records of Ebola patient Rick Sacra, M.D., who contracted the illness while providing care to Ebola patients in West Africa.
"While this is extremely uncommon, we have a zero tolerance for unauthorized access to patient information," the Nebraska Medical Center says in a statement provided to Information Security Media Group.
"During an audit of our electronic health records, we discovered that two medical center employees inappropriately accessed the record of Dr. Rick Sacra. This is a violation of HIPAA regulations, and an issue we take very seriously," the medical center states. "Based on the results of the investigation conducted, two employees no longer work for the organization and other corrective action has been taken."
A zero tolerance policy sends a strong message, says security expert Mac McMillan, CEO of the consulting firm CynergisTek.
"If someone is caught trying to access this type of health information and it is not appropriate for them to do so, then they should be terminated immediately," McMillan says. "This activity demonstrates a serious absence of good judgment - the health system doesn't need the liability, and we don't need people like that caring for our family members."
But independent security consultant Tom Walsh points out that before levying sanctions - including termination - against a worker for inappropriate access to records, it's important for hospitals to verify that the access was intentional, and not a mistake. "Was the access one time for five seconds - or three times for six hours? That can make a difference in how to respond."
Records Protection Measures
Security and privacy experts say hospitals can take several measures to ramp up privacy protection of Ebola patients, and other sensitive cases. That includes:
- Reminding staff of privacy policies and sanctions for breaking those rules (see Ebola: Protecting Patient Data);
- Limiting access to records by strengthening controls and monitoring for unauthorized access;
- Monitoring social media for privacy violations.
"These initial [Ebola] cases are an opportunity for hospitals to look at their internal practices not only to treat these patients, but how to handle communication and protection of data," Walsh says.
Treating patients with ebola, a contagious disease that's often fatal, understandably can fuel high levels of anxiety, concern and curiosity among workers in healthcare facilities, making potential records snooping a much higher risk.
"It's human nature. We're motivated to find out who these patients are. It goes beyond nosiness, it's self-preservation," Walsh says. "Who are the 100 people in my neighborhood who've come into contact with the Ebola patient, because I want to stay away from them."
To reduce the chances that records are inappropriately accessed, McMillan says confirmed and suspected Ebola patients can be "flagged" as VIPs in record systems, which triggers different rules for handling their information.
Walsh says for some hospitals, that involves hiding or changing the real names of high-profile patients in record systems, so that only key healthcare personnel know the patient's real medical identity.
Auditing tools that are part of an EHR system or available from third-party providers can also help monitor inappropriate access. "In our organization, we have the capability to flag certain records, and we can then, on an ongoing basis, monitor user activity with respect to those who access that particular record," says Dena Boggan, HIPAA privacy and security officer at St. Dominic Jackson Memorial Hospital in Jackson, Miss.
"I would recommend a robust user activity monitoring system with this capability, and if you're not sure whether or not you have this capability, I would query your EMR vendor, or invest in a system that can monitor across all platforms that contain PHI at your organization," she says.
Security experts also suggests that hospitals do targeted audits on the records access for patients treated or tested for Ebola. "I strongly recommend that the privacy officer specifically audit user access to that patient's record," says privacy expert Kate Borten, president of consulting firm The Marblehead Group.
McMillan says another alternative for hospitals to consider in protecting Ebola patients' records is protecting the information in the same way that they safeguard mental health records. "Most mental health records, for instance, are locked down so that they can only be accessed from certain assets, by certain workforce members or within certain areas," McMillan says. "What that means is snooping is curtailed seriously, and the information surrounding the patient can be contained to a prescribed few."
Use of a data loss prevention system can also play a role in protecting sensitive records. These tools can "watch and alert on any outbound traffic and block communications containing the victims' names or information or track any reference to the issue involved," McMillan says.
Security and privacy experts also point out that it's important for healthcare organizations handling sensitive cases to closely monitor social media.
"Hospitals that take on these patients need to encourage their marketing and IT people to work together in monitoring social media, and making sure people are not blabbing," Walsh says. Not only does that mean watching for disclosures of protected health information, but also "hints and clues" that reveal details about unnamed patients, "especially when there's only a handful of patients being treated" for a rare illness, such as Ebola.
McMillan suggests that hospitals also consider special mobile device protections applied to those who will have direct access to the patients. "You might want to temporarily block Facebook and other forms of social media," he says.
Additionally, healthcare organizations should remind staff who are involved in treating these patients or handling lab or pharmacy work to be especially aware about conversations that could be overheard, McMillan suggests.
"To me, when a situation like this gets extensive media coverage, the first thing you need to do is remind staff ... of their obligation to only access the information they need to treat their patients, that user activity monitoring is ongoing, and the consequences of inappropriate activity with regards to snooping," says Boggan of St. Dominic Jackson Memorial Hospital.
Borten, the consultant, adds: "Policy and workforce training should make very clear that accessing a patient's record without a work-related need can be a HIPAA violation and grounds for disciplinary action including immediate termination."
When planning for handling sensitive cases, Boggan says, "the most important piece of advice to offer is 'don't panic. Stick to your established guidelines, be proactive rather than reactive, and make sure all of your bases are covered."