In February 2018, Medical University of South Carolina (“MUSC”) announced during a meeting with its board of trustees that 13 employees were terminated in 2017. The administrators of MUSC determined that these employees accessed patient records without permission. Such access without permission is considered “snooping.” Studies have found employee snooping is one of the biggest threats to HIPAA privacy. Snooping usually occurs when an employee views medical records of their friends, family, work colleagues or a celebrity without authorization because such employee is curious of why such person is there/what treatment they are receiving.
Such snooping is considered a breach under HIPAA. HIPAA provides three exceptions to the definition of ‘breach.” One exception applies when an employee of a covered entity unintentionally accesses or uses protected health information but such access or use is made in good faith and within the scope of authority. However, the Department of Health and Human Services, Office for Civil Rights (OCR) has provided that this exception does not apply to snooping employees because snooping is neither unintentional nor done in good faith.
In order to monitor snooping, MUSC has designated certain employees to monitor the news to identify any possible patients making the news. At times, some employees will snoop in a patient’s record after that patient is discussed in the news. Eleven of fifty-eight privacy breaches at MUSC in 2017 were categorized as snooping.
A MUSC spokeswoman also issued a statement regarding the terminations based on snooping and provided that “[s]ome breaches are simply a case of information being faxed to the wrong clinic location, whereas others can involve misplaced curiosity or malice” and “[t]ransparency is incredibly important, and necessary, to prevent and discourage future breaches…”