On April 8, 2008, the New York Times & The Los Angeles Times reported that, Dr. Mark Horton, head of the California Department of Public Health, said that "the agency planned to sanction the University of California, Los Angeles, Medical Center after hospital workers improperly viewed the records of more than 60 patients, including the actress Farrah Fawcett and the state’s first lady, Maria Shriver. The medical center’s investigation "revealed that records of 61 patients, roughly half celebrities or politicians, had been opened by one unauthorized worker who had since quit." Governor Arnold Schwarzenegger has been quoted as stating that his administration will push hospitals to implement new safeguards to stop such snooping.
These types of incidents highlight a prevalent issue that I find many covered entity providers struggling with. Namely that their employees are either not aware or not taking seriously their responsibility to not access the record of any patient without an authorized purpose. Authorized purposes include where the employee needs the information in connection to providing health care services to the patient. Other authorized purposes are limited, but are set forth in the HIPAA Privacy Rule. In addition, state laws may further restrict which employees can access certain sensitive information, like mental health records.
HIPAA requires that covered entities implement safeguards to attempt to prevent unauthorized employees from accessing protected health information (PHI). The first step for a provider is to establish clear policies regarding when employee access is "authorized" (permitted) and when it is "unauthorized" (not permitted). With respect to electronic-PHI, the HIPAA Security Rule goes one step further by requiring covered entity to implement (1) Access Authorization levels and (2) Access Establishment and Modification. This may include developing and implementing policies and procedures for assigning access rights (i.e. passwords) to employees based upon their role at the facility. Finally, it is imperative that employees are trained on established policies, and applicable sanctions (i.e., from warnings to termination) are carried out for violations.