Easy Question Complicated Answer What Does It Take to Stop Workers From Snooping Health Care Compliance Association HCCA JDSupra

pppReport on Patient Privacy 25 no 11 November 2025ppUHealth also known as the University of Miami Health System UMHS implemented a zerotolerance policy related to members of its workforce snooping into records they have no business literally seeing UHealth spent at least a year prepping before implementing the policy which includes regular auditing and other activities designed to prevent and manage such incidents Yet this summer UHealth announced that an employee inappropriately poked around in the medical records of nearly 3000 patients for twoandahalf years before being caughtppThe inappropriate access wasnt discovered until June of this year the breach was reported to the HHS Office for Civil Rights on July 29 and UHealth made a public statement about it as welli Two highlevel UHealth privacy officials recently described their antisnooping program in detail during a webinar sponsored by HCCAii Hoping to understand the breachwhich the speakers didnt mentionin the context of the policy RPP submitted a series of questions but was unable to learn anything furtherppWe were not speaking on behalf of the University of Miami and as a matter of procedure we never mention realspecific cases for confidentiality purposes Alyssa Lawrence UHealth assistant vice president and deputy chief compliance and privacy officer and one of the speakers told RPP in an email Lawrence said she could not address the other questions noting that it is not our practice to comment further than the press release She added that we are extremely mindful of confidentiality which is critical in our rolesppThe fact that UHealth experienced this incident despite its efforts reflects the intransigence of the perhaps alltoohuman desire to learn secrets about each otherand consequences be damned Snooping is considered one of the most common types of HIPAA violations The motivations in this instance are unknown and UHealth didnt say for example whether the now presumably ex employee sold any purloined protected health information PHI or otherwise profitedppUHealth also wouldnt tell RPP how UHealth discovered the snooping why it wasnt detected sooner the nature of the snooping were celebrities targeted or family members or others known to the employee and lessons UHealth might have gleaned from this that resulted in changes to its policies or proceduresppAccording to Lawrence UHealth may be the onlyor at least among the firstto adopt a zerotolerance policy for snooping though because there are exceptions it also seems accurate to call it a lowtolerance policy While violators may be terminated UHealths policy includes warnings and exceptions and violators may receive less severe sanctions depending on the circumstancesppLawrence and Aidil Maria Tuya UHealth manager of HIPAA privacy compliance also detailed training needed before implementing a policy as well as workflow considerationsppWhen developing its policy UHealth called institutions all around the country We talked to our vendors and no one seemed to have it Lawrence said terming the implementation process trial by fire As a result Lawrence said shes happy to help others with their policiesppPosingand answeringthe question of how to convince your board or your Csuite team to actually do something like this Lawrence said UHealth started this because there was a snooping incident where board members were viewed We had them riled up they were demanding change We presented this as changeppLawrences approach to the snooping policy fits with her overall view that an effective compliance program is one where we can get to the point of not just reacting to things coming in and putting out fires all the time The goal is having a system where youre finding an issue it before it becomes a big problem or early enough that its easier to catch its easier to do something about she saidppIn Lawrences view the job of the compliance officer is to do whats right to have our employees accountable for their own actions making sure they are properly educated and that any policy changes are communicatedppEducation and training about snooping are essential because there is a pervasiveand generally falsebelief that employee snooping doesnt trigger a reportable breach Lawrence saidppSnooping Includes Range of BehaviorsppAt UHealth it is a rare occurrence that a snooping incident involves someone going into a thousand patients charts over time she said More typically a snoop looks at a couple or a dozen records Lawrence said As noted she failed to mention this summers breach that involved 2900 patientsppSimply put snooping refers to any unauthorized access to patient health information by individuals who do not have a legitimate business need to view that data explained Aidil Maria Tuya manager of UHealth HIPAA privacy compliance who also spoke during the webinar This includes everything from casually opening up a chart just out of curiosity to actively searching for and sharing sensitive details Sometimes we do see highprofile cases of employee snooping that involve celebrities that make the headlines but the reality is that snooping happens across the boardppAlso part of the equation is incorporating the minimum necessary standard which requires covered entities CEs and business associates to limit the use the disclosure and the access to PHI to the minimum amount necessary to accomplish the intended purpose In practice this means that even if someone doesnt share the information even if they just look at it out of curiosity its still a violation Tuya saidppIts a violation for a nurse to review a patients record to see what procedure theyre scheduled for if the patient isnt assigned to that nurse Thats snooping and also a HIPAA violation said TuyappIt doesnt matter if the employee didnt even copy anything from the chart or print from the chart or didnt even share it with anybody else she said Its also important to remember that HIPAA is designed to protect patient privacy not just from external threats for example hackers or any third party ransomwarebut also from internal misuse as wellppExamples include an employee accessing a family members test results reviewing injuries suffered by a famous individual or even viewing a coworkers mental health records Tuya saidppOne of the things that we would like to point out is that regardless of the intent whether its curiosity gossip or something more malicious its a violation of HIPAA and a breach of patient privacy to snoop Tuya said And covered entities are required to report these incidents to HHS and theyre also required to notify the affected individualsppPoint Is Not to Fire PeopleppTuya added that the Privacy Rule is clear that patients have a right to keep their health information confidential and that right applies whether the patient is a stranger a friend someone you see at the grocery store or someone that you see on TV Addressing employee snooping also matters because it can lead to some serious consequences for employees and organizationsppSomething that we see a lot isaccess to a childs record Tuya said where the employee uses their work credentials to access the electronic health record EHR rather than through being an authorized user via the patient portal or a spouse checks on an appointment for a partnerppMany institutions just take the position that all personal access is inappropriate but they also may apply lesser disciplinary measures for this sort Tuya saidppIt could happen that a provider accessing a family members record is actually caring for that individual so it will be crucial to know if this is the case and whether it is allowed by the organizations bylaws Lawrence said Similarly that provider might call in a prescription Its probably not a privacy violation but it could violate other policies Lawrence saidppWhen crafting a zerotolerance or a lowtolerance policy that may lead to termination you want that termination language in there at some point Lawrence said But she added that the whole point of doing this is not to fire the most people The point of you doing this is almost a little fear generation and sending a message so that employees are taking this seriouslyppBut under UHealths policy not every violation results in terminationppWarning Training Essential to SuccessppSelfaccess which is what UHealth calls access when an individual enters the EHR to check the persons own information doesnt result in termination Lawrence said unless it happens a second time Instead the person is issued a warning But theres a big caveat she said If the person engages in selfmodificationmeaning they go in and change a diagnosis change allergies change notes or something medical or clinicalthat is a big problem for us not necessarily because its a privacy problem but it opens up a lot of other riskbased problemsppSimilarly if the worker checks something in the EHR that was accessible through the portal this also results in a warning the first time it happens she saidppIn terms of the actual policy it needs to be easily readable and understandable to employees with the lowest level of education at the institution Lawrence said so that your lowest common denominator of level of education you need at your institutioncan read it and they can understand itppThe use of examples is important in training but Lawrence doesnt include them in policies I am personally a believer that policies should be concise they should be short We shouldnt take a lot of liberties with them especially if we cant enforce thatppUHealth may have taken up to a year of announcements and training before putting the policyppin place offering what the speakers called a Privacy Roadshow We made sure we had a list We hit every single department every single group Lawrence said In addition to adding information to its computerbased learning program that is part of its annual HIPAA training UHealth conducted remedial training on snooping and talked to department chairs chiefs and the administratorsppThere was not a person that we did not get to unless of course they were on leave for over a year Lawrence saidppThe University of Miami like other academic medical centers has a diverse employee populationfaculty staff some unionized some nonunion employees volunteers students contractorsyour policy should apply consistently across all groups Tuya said because consistency is key to ensure fairness when it comes to enforcement This means that a physician could be terminated for a violation as could other employeesppUse Technology but VerifyppLawrence also addressed factors organizations should consider before purchasing antisnooping technology She recommended products that use artificial intelligence AI but also integrate with the organizations EHR and human resources HR systemsiiippHowever Lawrence also cautioned that when you have a system that can use AIto do this for you you have to verify the findings I highly highly recommend you always get human eyes on the report she saidppIf youre going to start investigating interviewing an employee based on what a system found I think it would be irresponsible to not verify it yourself You do a check A check is still a lot faster than starting from scratchppThis also includes establishing the investigative process Who has to be in the room Who are the right people Lawrence said UHealth has revised its process again because we need to find a way to make it work without being overly burdensome to the HR staff too who are also notoriously overburdened and understaffedppWho to interview and what to ask will differ she noted Thats especially true when we talk about academic health centers where you have a faculty Who is in the room might depend on whether the person is a faculty or staff member a student resident or fellow Lawrence saidppIn general we have rules in our department that there always has to be a witness You dont ever conduct an interview alone Lawrence said Also present is a notetaker How the interview was conducted is also documented in UHealths incident management systemppEstablish Workflows DecisionMakersppA final consideration is how a zerotolerance policy that permits firing violators will be enforced and who will At UHealth we did start by telling HR right away and then we agreed with HR that it became too bottlenecked We can move faster if we can do the triaging any initial interviews or emails to ask questions we do that first And then when we are confident that there is likely or probably a violation here of the policy thats when we bring in HR Lawrence saidppI also recommend having investigation protocols and documentation requirements not just for this but for all compliance programsAll of this has to happen while officials have their eye on the clock As with other reportable breaches affected make decisions For example there is variation in whether the compliance or privacy office has express authority to terminate or discipline individuals A lot do not Lawrence saidincluding at UHealth This is not authority she is seeking Lawrence said adding that its important to know who makes such decisions when the policy is put in placeppCEs and others need to establish your operational workflows and integrate information on snooping investigations and findings that are revealed Lawrence said When were thinking about a workflow were thinking about the flagging and the triage process Who actually gets that report from the system saying that theres an issue What do they do with it What are your literal 1 2 3 4 5 steps to say Okay I have this issue I need to investigate it Do I need to escalate it immediately Do we tell HR right awaypppatients and OCR need to be notified within the required 60day time frame single incidents are included in annual reports to the agency Lawrence added that UHealth does conduct a risk assessment to determine if a snooping incident meets the definition of a reportable breachppCompliance Shouldnt Operate In a VacuumppIn stressing the need to monitor the policy and tweak it as necessary Lawrence added that institutions need to consider the implications on the workforce and on other staffers who have to enforce itppThese are real people that have real jobs and we work in health care You dont want patient care to be jeopardized by your policy decisions or jeopardized in a way that would be significant she saidppAn organization needs to consider how possibly disciplining and possibly firing 200 people a month for a whileis going to impact your operational work Lawrence said To be clear Im not saying dont do it because of operational issues Im saying that has to be discussed That has to be part of the conversationppCaution and planning are essential We need to adjust we need to adapt and we need to see what the tools are telling us before we implement a zerotolerance snooping policy she said How well the organization is staffed to handle such a policy is another factor Lawrence said adding This was hard for usfiguring out how many true fulltime equivalents we need to be able to do this and that effort for investigations that we might not have done beforeppLawrence pointed out that an antisnooping program is an addonthe rest of the privacy program of compliance has to run This is something new and it doesnt take away from anything elseppSaid Lawrence In my opinion theres almost nothing worse than compliance acting in a vacuum wherein we dont care about the clinical care we dont care about operational issues we dont care about other peoples staffing issues and instead adopting an attitude of Do what we say cause were compliance That does not work in real life That doesnt make you liked that doesnt make you listened to that doesnt give you a seat at the tableppi UHealth Records Viewed University of Miami Incident Notification undated accessed November 4 2025 httpsbitly4rtPqCrppii Alyssa Lawrence and Adili Tuya Intersection of Employee Snooping HIPAA Considering Zero Tolerance or Increased Enforcement webinar HCCA August 21 2025 httpsbitly4hPSnZxppiii Theresa Defino When Choosing AntiSnooping Tech Know Capabilities Limits Report on Patient Privacy 25 no 11 November 2025 8ppReport on Patient Privacy 25 no 11 November 2025ppLearn more httpswwwhccainfoorgpublicationsnewslettersreportpatientprivacyppSee more pp
Health Care Compliance Association HCCA
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppPlease take our short survey your perspective helps to shape how firms create relevant useful content that addresses your needsppBack to TopppExplore 2025 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp