B“BEING INQUISITIVE ABOUT other people’s affairs may get youintrouble.” “Momma alwayssaid to mind your business.” “Curiosity killedthe cat.” There are plenty of well-known, well-worn sayings that warn us about the dangers that come with unchecked cu- riosity. And yet, curiosity can be a difficult impulse to curb—even when it comes to healthcare employees with the means to access sensitive information without proper authorization. In addition to the various external threats to privacy in healthcare, privacy officers also need to keep an eye out
for the potential threat of “curious cats,” and have a plan
to mitigate and prevent their actions. This can be an issue
in rural and small town healthcare settings in particular—
where employees are more likely to know the patients being
treated. Improper access of fellow hospital employees’ information is also a danger, regardless of the setting.
While breaches involving ransomware, malware, and
other cybersecurity issues continue to monopolize the
news, rural privacy officers are often more concerned with
snoopy employees. These might be curious staff members
who feel that knowing why a patient presents to the hospital can help them provide assistance to the patient or their
family, or might simply be people being nosy.
Justifications for a breach that have likely been heard before include “I was concerned with the co-workers well-being” or “I didn’t want to bother the family so I just checked
the computer really quick.” It is so easy—the temptation is
only a few clicks away.
Although privacy officers provide training to employees to
Example Scenario: The Incident
help combat this issue and facilitate resisting the temptation,
is it enough? What if the employee doesn’t think before click-
ing? What is the proper response from a privacy officer? Con-
sider the following scenario.
Janet, a manager of utilization review at Hospital A, has
been an employee for 20 years and has a stellar performance record. Occasionally, Janet is called to assist with
patients in the emergency room. On Tuesday at 11 a.m.,
Janet hears that Molly, a nurse at Hospital A, was in a car
accident and is being seen in their emergency room. Janet
heard that the police were in the emergency room, too. Janet is worried about Molly because rumor has it that Molly
may have a drinking problem and has been going through
a divorce. Janet wanted to check if Molly needed any assistance so she quickly logs in to check Molly’s status in
the emergency room. Janet discovers Molly has only minor
injuries but her blood alcohol level is high. Janet was not
asked to go to the emergency department for a consult nor
did she go see Molly in the emergency room. Molly is discharged.
Two days later, Molly is concerned that her privacy has
been breached and requests a privacy audit on her health
record. The audit reveals that Janet accessed Molly’s medical record and reviewed lab results. The privacy officer
interviews Janet. Janet explains that she accessed Molly’s
chart in case she was going to need to assist in the emergency room.
What steps should Hospital A’s privacy officer take in response to this incident?
Often Kill the
Cat in Healthcare
By Traci Waugh, RHIA, CHPS, CHC