As we noted in late January 2020, the spread of infectious disease raises particular concerns for healthcare workers who want to do their jobs and care for their patients, while also protect themselves and their families. Perhaps the desire to protect one’s self and family is what motivated a California state healthcare worker to access COVID-19-related health records of more than 2,000 current and former patients and employees over a ten-month period.
Regardless, this data breach should be a reminder for all organizations that (i) compromises to personal information of whatever kind are not only caused by criminal hackers, and (ii) considering all the personal health information being collected by organizations in connection with COVID-19 screening, testing, and vaccination programs, this is not a problem limited to health care employers.
In the healthcare sector, as with prior contagious disease outbreaks, fears about contracting the virus could lead to impermissible “snooping” and sharing of information by healthcare employees. According to a press release and published FAQs, an employee of Atascadero State Hospital with access to the hospital’s data servers as part of the employee’s information technology job duties improperly accessed approximately 1,415 patient and former patient, and 617 employee names, COVID-19 test results, and health information necessary for tracking COVID-19. The hospital discovered the breach on February 25, 2021, and, evidently, the employee’s improper access had been ongoing for 10 months.
Of course, HIPAA covered entities and business associates should be taking steps to address this risk. Such steps include, for example, continually reminding workforce members about access rights and the minimum necessary rule, which are required under HIPAA’s privacy and security regulations. At times, unauthorized access may be difficult to identify, particularly where employees have a need for broad access to information. In the case noted above, the breach was discovered as part of the hospital’s annual review of employee access to data files. Reviewing system activity generally is a good idea for all organizations, taking into account relevant threats and vulnerabilities to shape frequency, scope, and methodology.
The Office for Civil Rights has issued bulletins addressing HIPAA privacy in emergency situations, such as one in November 2014, during the Ebola outbreak, and one in February 2020 for the coronavirus. These bulletins provide good resources and reminders for health care providers when working in this environment. They also convey helpful considerations for all organizations handling sensitive personal health information.
During the past 12 months, organizations have collected directly or through third party vendors massive amounts of data about employees. Examples include data collected during daily temperature and symptom screenings, COVID-19 test results for contact tracing purposes, and now vaccination status. Some organizations have used thermal imaging cameras that leverage facial recognition technology to screen, while others have rolled out newly developed devices and apps to manage social distancing and facilitate contact tracing efforts. We now are seeing systems being rolled-out to track and incentivize vaccinations. All of these activities involve the collection and storage of personal information at some level.
Organizations, whether covered by HIPAA or not, engaged in these activities should be thinking about how this information is being safeguarded. This includes assessing the safeguards implemented by third party vendors supporting the systems, devices, and activities. Again, these efforts should not be focused only on systems designed to prevent hackers from getting in, but what can be done internally to prevent unauthorized access, uses, and disclosures of such information by insiders, employees.