Privacy Officer's Roundtable

Inappropriate Access

  • 1.  Inappropriate Access

    Posted 03-26-2020 04:13 PM

    I would like your opinion on the following inappropriate access (not work-related, accessed out of curiosity):

     

    Employee 1 – inappropriately accesses the clinical portion of the patient's chart, looking at the doctor's and nurse's notes, test results/reports, etc.

    Employee 2 – inappropriately accesses the patient's demographic information that includes name, address, phone, email address, race, date of birth and in some cases, the patient's social security number.

     

    Question:

    What corrective action do you think each employee should receive?  Same?  Different?  Does it depend on their past violations?

     

    Thank you for your input!

    Cinda

     

    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
    2020 SCCE Membership


  • 2.  RE: Inappropriate Access

    Posted 03-26-2020 05:56 PM
    My opinion is consistency in enforcement is key.   The problem as I understand it is that each accessed out of curiosity and neither had any need to access those portions of the records to do their job.   So, action of each may have violated a policy (?) regardless of what part of the record the peeked at.   If not enforcing (policy/expectation) consistently for the main problem of accessing records when not needing for job function, it almost would send a message to others that there is some flexibility in the expectations.  Again, my opinion.  






    2020 SCCE Membership


  • 3.  RE: Inappropriate Access

    Posted 03-27-2020 09:46 AM
    It's obviously an organizational decision how these are handled. Some places I've worked handle all non-business related access the same. Others look at what was accessed and have a range of disciplinary actions and adjust up or down based on mitigating and aggravating factors. Clinical information and SSN are definitely aggravating factors. Consistency is key as others have mentioned.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: Inappropriate Access

    Posted 03-27-2020 03:24 PM
    ​That makes a lot of sense to me. Great point.

    ------------------------------
    Vicky Roe RN CPMA CHC Compliance Clinical Auditor
    Southeast Georgia Health System
    Brunswick, GASheldon Roe
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: Inappropriate Access

    Posted 03-27-2020 05:59 PM

    I agree that consistency is key.  Both accessed PHI in an unauthorized fashion.  The only reason I would see to treat the two employees differently is if one but not both had been disciplined previously for unauthorized access to PHI. In that case I think the sanctions need to be greater for a prior offender.

     

    Chris Apgar, CISSP, C|CISO

    CEO & President

    (503) 384-2538 (o)

    (503) 816-8555 (c)

    (503) 384-2539 (f)

    capgar@apgarandassoc.com

    www.apgarandassoc.com

     

    Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response

    apgarlogofinal2014

    The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.

     




    2020 SCCE Membership


  • 6.  RE: Inappropriate Access

    Posted 03-30-2020 08:24 AM

    Thank you to Sonu, Brenda T, Frank Savannah, Brenda M, David, Vicky and Chris for your input about corrective action for inappropriate access.  I have a lot of respect for the opinions from members of this forum, as does my CEO, who suggested to me that I check with my peer group!

    I agree that consistency is the key, and I like the different tiers approach and having a range of corrective actions within each tier, dependent on the circumstances surrounding the offense.

    Thanks again everyone!  Stay safe!  Heartfelt prayers for the World.

    Cinda

     

    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



    2020 SCCE Membership