With electronic patient records, the potential for privacy violations expands a thousand-fold. First, data can be accessed anywhere, not just on the physical premises. As a result, remote access makes snooping employees bolder.
Violating someon's privacy is more palatable when you can't get caught red-handed. Of course, you are leaving an audit trail on the computer. It's just that the run-of-the-mill employee doesn't understand the relative ease of finding out who saw what on which computer.
Your healthcare organization's IT staff can implement all kinds of applications to make it harder for employees to access data they have no business viewing. For employees who do have authorization to look at patient records, policies need to be put into place. Very stringent consequences must be attached to privacy violations and follow through is critical to set an example for other would-be snoopers. This is something healthcare organizations can do.
There are things outside the organization that could be lobbied for, though they require a bigger effort involving the entire provider industry. So why would a hospital employee view patient data? The most typical scenario is to sell it to such publications as the National Enquirer to make a lot of money. I don't know what these publications' rights are with regard to publishing stolen personal health information, but it seems to me that while they are protected from disclosing the source that leaked the information they ought to be exposed to legal action for publicizing personal health information. Someone who is more versed on this help me out here. Aren't they liable under HIPAA? This is not an issue of the public needing to know, for instance, that the government was doing something it shouldn’t. It's simply to feed the small minds of people who have nothing else better to do than to find out the intimate details of a celebrity's illness. So shutting down the source would help.
Those who steal to make money ought to have stiffer penalties. They ought to be set up as examples, so employee orientations should include what will happen when you access data for which you have no authorization. Employees need to know that while they can't get caught with the file in their hand, there is a very reliable technological audit trail that will catch them. The more we can educate and scare straight potential snoopers, the more we can control the human side of privacy violations.
I would be interested to know what your healthcare organization's policy is when an employee accesses unauthorized patient data.
Photo by http://www.flickr.com/photos/sethw/ / CC BY-SA 2.0">Seth W. obtained via Creative Commons license.
