What you need to know about the forces reshaping our industry.


January 28, 2015

EHRs help hospital catch employee snooping on patient records

Daily Briefing

Electronic health records (EHRs) can be used for more than storing and sharing patient data; the systems can also make it easier to identify employees who might be committing HIPAA violations by inappropriately accessing patient records—an issue that recently came to light at a California hospital.

One in 10 Americans has been affected by a large health data breach

Officials from California Pacific Medical Center on Jan. 23 notified 844 patients after an EHR audit conducted in October discovered that a pharmacist employed by the San Francisco hospital had been inappropriately viewing patient data from October 2013 to October 2014.

Originally, the incident was thought to have only affected 14 patients. However, after an "expanded investigation," the number of records viewed was found to be much larger. According to the investigation, the information that the pharmacist accessed included:

  • Clinical diagnoses;
  • Clinical notes;
  • Patient diagnosis; and
  • Prescription data.

The hospital policy allows staff to access patient data "only when necessary to perform job duties and that violating this policy may result in loss of employment." The staff member has since been terminated.

According to HHS data, nearly 13% of data breaches involve improper access or inappropriate disclosure of patient records.

Suzanne Widup, a senior analyst on the Verizon RISK team, says the best way to avoid such breaches is to audit your employees and patients' health data. She says, "You need to know who has the data, who has access the data, and you need to monitor it," adding, "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before" (McCann, Healthcare IT News, 1/26).

The takeaway: A recent data breach in California, in which an employee inappropriately accessed patient records, sheds light on how EHRs can be used to monitor and prevent inappropriate EHR use.

Hear from our experts

Ernie Hood, Senior Research Director

Data breaches are pretty much (or just about) inevitable; what hospitals are failing to do is prepare for them. We know from studies that the top indicator of how bad the consequences of a breach will be is how quickly and effectively an organization reacts to it. But hospitals are not spending the time needed to prepare for a breach in advance.


More from today's Daily Briefing
  1. Current ArticleEHRs help hospital catch employee snooping on patient records

Have a Question?


Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.