Electronic health records (EHRs) can be used for more than storing and sharing patient data; the systems can also make it easier to identify employees who might be committing HIPAA violations by inappropriately accessing patient records—an issue that recently came to light at a California hospital.
Officials from California Pacific Medical Center on Jan. 23 notified 844 patients after an EHR audit conducted in October discovered that a pharmacist employed by the San Francisco hospital had been inappropriately viewing patient data from October 2013 to October 2014.
Originally, the incident was thought to have only affected 14 patients. However, after an "expanded investigation," the number of records viewed was found to be much larger. According to the investigation, the information that the pharmacist accessed included:
- Clinical diagnoses;
- Clinical notes;
- Patient diagnosis; and
- Prescription data.
The hospital policy allows staff to access patient data "only when necessary to perform job duties and that violating this policy may result in loss of employment." The staff member has since been terminated.
From our "How To" seriesHow to share data without breaking HIPAA
According to HHS data, nearly 13% of data breaches involve improper access or inappropriate disclosure of patient records.
Suzanne Widup, a senior analyst on the Verizon RISK team, says the best way to avoid such breaches is to audit your employees and patients' health data. She says, "You need to know who has the data, who has access the data, and you need to monitor it," adding, "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before" (McCann, Healthcare IT News, 1/26).
The takeaway: A recent data breach in California, in which an employee inappropriately accessed patient records, sheds light on how EHRs can be used to monitor and prevent inappropriate EHR use.
Hear from our experts
Ernie Hood, Senior Research Director
Data breaches are pretty much (or just about) inevitable; what hospitals are failing to do is prepare for them. We know from studies that the top indicator of how bad the consequences of a breach will be is how quickly and effectively an organization reacts to it. But hospitals are not spending the time needed to prepare for a breach in advance.