HIPAA Compliance: How to Protect Patient Information Inside Your Organization

January 23, 2020

By: Samuel P. Burgess and Jessica L. Copeland

Healthcare organizations continue to be a premier target in cyber-attacks and data breaches. Also concerning is the frequency at which cyber intrusion originates within an organization.

A common type of internal incident occurs when there is an inadvertent disclosure by an employee (e.g.., sending information to the wrong patient). This can result from carelessness and/or lack of proper training, or failure to implement adequate procedures to mitigate this risk.

A rising, and more significant risk revolves around employees accessing information for which there is no justifiable reason (i.e., snooping through patient records). As a reminder, patient information should only be accessed by individuals who need the information to conduct their regular job functions. Even then, an employee should only be accessing the minimum information necessary to complete their job functions. Allowing employees unfettered access to patient information creates a grave risk that accidental or intentional, unauthorized access or disclosure of patient information could occur, which may expose the organization to significant liability. 

While it may be difficult for an organization to limit the information accessed by employees, an organization must act reasonably in its efforts to comply with HIPAA. This can be accomplished through annual training of employees, consistent and periodic monitoring and auditing of access and disclosure of information, as well as pen testing, mock-phishing exercises and other vulnerability assessments. Further, organizations should develop disciplinary procedures for handling unauthorized access to patient information and advise all employees accordingly. 

The most effective way to achieve compliance is through continued education and monitoring. All healthcare organizations should provide necessary training of employees, implement policies for the handling of information as well as the resulting disciplinary procedures, and develop procedures to regularly audit and monitor the information that is being used within the organization to determine if there has been any inappropriate access or disclosures. 

If you have any questions regarding this memo, or any other healthcare related matter, please contact Samuel P. Burgess, Jessica L. Copeland or one of our attorneys in the Cybersecurity and Data Privacy Practice Group.