Yes, staff snooping of medical records is a privacy breach
A privacy breach can come in many forms. Breaches due to ransomware attacks have been grabbing headlines recently, and with good reason: the FBI estimates there are now an average of 4,000 attacks daily in the United States. But there are many other, even more common, types of privacy breaches which can be both embarrassing and potentially expensive for medical practices.
Matt Fisher, JD, co-chair of the health law group at Mirick O’Connell in Worcester, Massachusetts, says the problem he sees most often among his clients involves insider issues such as snooping which is inappropriate access to patient records by staff members. For example if someone on the staff sees a neighbor come into the office and, out of curiosity, checks the patient’s record to see why they are seeing a doctor, it is considered snooping and constitutes a breach of privacy.
Another example Fisher cites is if something happens in the community, such as a car accident or shooting, and someone in the office looks at patient records after watching the news to find out what happened.
Although such incidents may seem harmless, they still constitute privacy breaches, and carry all the same risks.
Even if the employee doesn’t do anything with the information, once it has been accessed, it is a breach. A likely scenario is that the employee chats about what they saw in the patient’s record with a friend. Fisher says, “It’s not financial harm, but it is reputational harm.”
Another form of snooping, according to Fisher, occurs when an employee leaves a practice. Employees may take information and then use it to contact patients in order to try to sell them products or to attempt to take them to the new employer.