Getty Images/iStockphoto

Employee Email Warnings Reduce EHR Snooping, Unauthorized PHI Access

Employees who received an email warning after unauthorized PHI access were far less likely to commit the same offense again, research published in JAMA found.

Only 2 percent of healthcare employees who received an email warning after committing unauthorized protected health information (PHI) access carried out the same offense again, a research letter published in JAMA Network Open found.

Researchers flagged all unauthorized access to patient medical records at a large academic medical center from January 1 to July 31, 2018. Within that time, 444 employees viewed the patient medical records despite not being part of the patient’s care team.

To test the impact of an email warning, researchers randomly selected 49 percent of the employees to receive a warning on the night of their access. The email explained that the employee was identified for accessing a patient’s electronic medical record without a known work-related purpose. The remaining 51 percent of employees served as the control group and did not receive an email warning.

The email warning was extremely effective, with only 4 employees committing unauthorized access for a second time. Meanwhile, 40 percent (90 employees) of the control group repeated the offense, demonstrating a 95 percent effectiveness of email warnings to reduce repeated offenses.

“This nonrandomized controlled trial found that when left unchecked, hospital employees repeatedly committed unauthorized access to PHI, creating substantial financial, reputational, and clinical risks for the patient and the organization,” the research stated. “Avoiding repeated access is a critical measure for risk mitigation.”

Although the researchers noted that their findings may not be generalizable to other settings, they underscored the importance of protecting PHI from unauthorized access.

Hacking incidents accounted for most recently reported healthcare data breaches, but the research showed that insider threats also pose a significant risk to PHI security.

EHR snooping and unauthorized PHI access led to one Huntington Hospital employee being charged with a HIPAA violation in November 2021. Huntington Hospital discovered that a night shift employee was improperly and repeatedly accessing electronic medical records without role-based authorization and had to notify 13,000 individuals of the breach.

The incident further emphasized the need for a culture of cybersecurity through patient education and strong security controls.

“Adopting simple email warnings, accompanied by a PHI access control system, can substantially reduce future unauthorized access and benefit patients and health care entities,” the researchers suggested.

“The constantly evolving landscape of PHI breaches requires continuous risk management effort.”

Next Steps

Dig Deeper on Health data access & privacy