Since the breach notification rule became effective two and a half years ago, the HHS Office for Civil Rights has logged more than 31,000 breaches of protected health information.

Of those, 500 breaches have been "major"-each affecting at least 500 individuals-with several affecting more than 1 million. The major breaches have generally occurred outside a health care facility's walls and resulted from a laptop or backup tapes being lost or stolen, or a hard drive or paper records improperly disposed.

But internal threats to protected health information-when employees snoop into medical records of co-workers or VIPs, bring in unauthorized mobile devices, make configuration changes to information systems, send unencrypted information in e-mails to legitimate outside recipients, or unknowingly access a rogue Web site--are far more common than the big breaches that make headlines, I.T executives say.

The University of Arizona Health Network in Tucson had snooping incidents when former Rep. Gabby Giffords was being treated for gunshot wounds following a shooting spree at a meeting with constituents, says Jeffrey MacEwen, the health system's information assurance officer. Some snoopers tried to get around internal security by jumping on workstations and checking Gifford's records after co-workers walked away without logging out of their sessions, he recalls.

Three-hospital Beaumont Health System in Royal Oak, Mich., has terminated a handful of employees this year because they were found to have pulled records of co-workers or VIPs, says Doug Copley, director of corporate information services and information security officer.

While there's always a handful of employees who are criminally curious, most internal breaches of PHI are unintentional, such as an employee transferring records to a flash drive or sending records to a personal e-mail account to work on them from home, or even sending records to a peer for advice, Copley says. "Things happen and most of the time it's not malicious, it's people not knowing the right way to secure the information."

In Joe Goedert’s feature story in the August issue of Health Data Management, information security officers detail working strategies for mitigating internal threats.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access