Share:
How would you feel if someone accessed your private medical information because they were curious? Perhaps they were just wondering what happened to you after they checked you in. Or when you were born, what street you live on, why you missed work, what your lab results were or what was making you sick?
You’d probably feel, well, a bit sick yourself.
Sadly, there are times when employees temporarily lose sight of their best judgment and intentionally and inappropriately access patient information for no apparent reason. This is called snooping. And snooping is not tolerated at Asante.
Asante’s Confidentiality Standards and Sanctions
policy states in part that staff members may access patient information only when they have a legitimate and permissible reason, and are acting within the scope of their job responsibilities. This policy further defines Asante’s zero-tolerance policy against snooping.
The policy applies to the inappropriate access of:
- Family and friends.
- Significant others or exes.
- Neighbors.
- Celebrities and politicians.
- Co-workers.
- Any other patient for whom there is no justified reason for access.
Accessing protected health information without a legitimate work-related need can result in significant consequences for both the hospital and the snooper.
Recent investigations
Earlier this year, a citizen reported that they suspected an Asante employee had inappropriately accessed someone’s medical record. The Privacy team, along with Human Resources and the employee’s manager, immediately investigated. This led to Asante enforcing its zero tolerance policy along with a broader review of the employee’s access history.
Ultimately, the employee was found to have snooped into more than 50 patients’ records. Asante had to inform each patient that one of our employees had inappropriately accessed their personal health information.
Although we hope this transparency will help our patients regain some level of trust, several were brought to tears that someone in a position of trust would do such a thing with their information.
So far this year the Privacy team has investigated 17 inappropriate access cases. Eight of these resulted in Asante notifying 140 individuals and the U.S. Secretary of Health and Human Services, as required by HIPAA. In other words, 140 people have lost some sense of trust in Asante as a result of these incidents.
Asante’s privacy monitoring process is designed to identify snooping, potential identity theft or other potentially inappropriate behaviors. Unfortunately, as the above example illustrates, not every instance of inappropriate access can be promptly identified. Therefore, Asante relies upon its policies, education and, more important, the obligation for employees to do the right thing, even when no one is (possibly) watching.
Investigations lead to just outcomes
If unusual activity is detected, or in response to a complaint, a member of the Asante privacy team will lead a robust investigation. This investigation may include contacting the staff member’s supervisor to request an explanation. The employee will be given an opportunity to explain the reason for accessing the records.
If access is deemed inappropriate or not job-related, the supervisor and HR manager discuss appropriate sanctions based on the Asante Confidentiality Standards and Sanctions policy. Sanctions could range from verbal coaching up to termination and notification to the appropriate medical licensing board.
Not every complaint leads to corrective action. Often, the investigative process concludes that the access was appropriate. The investigative process is designed to find the truth, and when needed, sanctions are applied in a just, equitable and consistent manner.
PRIVACY DO’S AND DON’TS
DON’T access your own record from your Asante employee account. Instead, use MyChart or ask Medical Records for a copy.
DON’T access patient records, including demographic information, to satisfy your curiosity. Only access records for work-related reasons.
DO follow the minimum necessary standard. That is, access only the information in the chart you need to perform your task. For example, a business office specialist may need to see if a lab test was performed but not necessarily the results of the lab test.
DO speak up if you suspect a privacy violation.
Three ways to report concerns
- Email the Privacy team at pr*****@as****.org.
- Call Compliance hotline at (866) 340-7788.
- Submit a question or concern via the Compliance page on myAsanteNET.
If you have a question, please contact the author or relevant department directly.
