Healthcare News & Insights

How to discourage cyber snooping among employees

GettyImages-455249053When you think of cyber snooping, you probably picture an individual sneaking into an office at night and stealthily scanning through computer files with malicious intent in mind. But when it comes to the healthcare industry, it can be all too simple to unintentionally view a patient’s file. This seemingly innocent error can have costly consequences. In this guest post, Erik Kangas, founder of an Internet services company dedicated to secure web and email hosting, details how to discourage cyber snooping.

__________________________________________________________

Reading a patient’s healthcare information when you don’t have clearance could breach HIPAA regulations, possibly leading to termination. It’s a situation that any hospital wants to avoid, whether the snoopers are making careless errors or deliberately trying to look where they shouldn’t.

Given that so many healthcare files are available digitally, it’s now quicker and easier than ever to access a patient’s records from anywhere, at any time. Restricting access to certain providers is ineffective because people may shift in their roles and always need access to the right patient’s information. So how do you discourage healthcare employees from violating HIPAA and looking at files they aren’t supposed to?

Here are a few ways you can stop cyber snooping before it starts.

Set clear boundaries

Setting boundaries starts with two things: a strong policy and clear education of what it entails. If a hospital fails to put together a policy that outlines when an employee can and can’t access patient files, it opens the door for any employee to accidentally view something they shouldn’t, or worse, to view something intentionally and then claim innocence because they weren’t taught otherwise.

Your hospital’s policy should explicitly list all the circumstances in which private information is accessible; do not assume that any are “common sense.” In addition to explaining the potential methods of access, include which types (or ranks) of employees can view certain types of information and which can’t. State this as clearly as you possibly can; it’s better to overstate than to leave something out. Be sure to include a clear explanation of potential consequences or remedial action needed if an employee does snoop (whether on purpose or accidentally).

A clear and well-outlined policy is the first step, but it’s not enough on its own. Your company should also offer training sessions, not just for new employees, but also as regular reminders for existing employees. Training should include instructing staff in how to correctly follow the company policy, and avoid breaching privacy guidelines. Giving employees proper education and training could actually help mitigate punishment if snooping does occur, since you’re less likely to get in legal trouble or excessive discipline if you clearly notified employees about consequences from the start.

That means the onus is on the facility itself to make sure its employees are properly trained – for both the employee’s own good and the hospital’s as a whole. As a failsafe, you could take the extra step to incorporate this privacy policy into your employee agreement from the outset; that way, you’ll have a signed document in the event they may breach HIPAA, which can provide more weight when it comes to terminating an employee.

Remind employees of accountability

Of course, your employees were hired in good faith that they’ll follow HIPAA; still, it’s always best to maintain strong monitoring of everyone’s behavior. Proactively placing employees under observation, as well as letting them know that their actions are recorded, can act as a simple deterrent to cyber snooping. Some companies rely more on surveillance systems and making their employees aware of the constant surveillance than heavily limiting who can access what. The accountability method is more effective than restriction, since the latter can create barriers that hold up legitimate access of information; accountability allows for swiftness in retrieving patient records – a must when a life is on the line.

Another preventive measure you should take is to make sure all corporate devices have lock screens that remind employees not to snoop. Consider a lock screen that requires employees to confirm their identity, reenter their password, or select from a drop-down menu the reason for using the device. Adding in a few extra steps to confirm the legitimacy of accessing a device can quickly deter those who may feel tempted to pry.

Although you don’t want to create a culture of suspicion or mistrust, it’s perfectly fine to remind staff that there are consequences to breaking HIPAA regulations, and it’s not something security will take lightly. Keep reminding employees that they’re accountable for their actions, and that you can (and will) monitor their actions on the job.

Enforce the boundaries fairly

If you catch an employee breaching HIPAA regulations by reading a patient’s information when they shouldn’t, it’s time to emphasize how serious a mistake, or a definitive choice, this is. Be firm in enforcing your company’s privacy policy and follow through with the appropriate punishment.

It’s not so much “making an example” out of someone as it is an affirmation that the consequences are no small warning. A strict policy carries little weight if rule-breakers are allowed to get away with their behavior. Even if the snooper broke HIPAA without realizing it, having a well-taught policy can negate any excuses, particularly of the “I didn’t know” variety.

The way in which you take action is just as important as the act of following through on your policy. As with any method of discipline, it’s important to be judicial and fair when it comes to employees who cyber snoop. Give accused employees a chance to defend themselves or offer a justification for their actions. Rushing to punish a rule-breaker before assessing all sides of the situation can make you potentially liable for claims of wrongful dismissal. Hospitals should be sure to have proper documentation and evidence ready (as well as that signed employee agreement that incorporates the privacy policy, as mentioned earlier) in order to avoid legal claims from terminated employees.

Privacy is the best policy

Whether out of malice, concern, innocence or simple curiosity, technology and digital records make it all too easy for a healthcare employee to look at a patient’s information without the appropriate clearance. If a strict policy or consistent monitoring hasn’t properly deterred staff members, then termination (on legitimate grounds) can act as a strong form of discouragement for any other employees looking to do some snooping in the future.

Establish early on what the penalties are for breaches of privacy, depending on HIPAA regulations, and communicate it clearly to your staff – then don’t waver from it or turn a blind eye to mild snooping here and there. If employees have a firm enough understanding of the facility’s policy on reading patient files, then there’s no excuse for ignorance on their part.

Does your workplace have a policy in place to discourage cyber snooping? Has it been effective so far?

Erik Kangas is the founder, chief architect and developer of LuxSci, an Internet services company dedicated to secure web and email hosting. He also serves as technical advisor to Mediprocity, which specializes in mobile-centric, secure HIPAA-compliant messaging.

 

 

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.