- Compliance
- Practice Management
Limit Internal Access to Protected Health Information
Data breaches caused by current and former employees impermissibly accessing PHI has been a recurring issue in the U.S. Health and Human Services Office of Civil Rights investigations.
Jeanne Varner Powell, JD
04/30/2025
Protecting patient data from hackers and cybercriminals is essential, but medical practices should never underestimate the daily privacy and security risks posed by internal, employee access to protected health information (PHI). The U.S. Health and Human Services Office of Civil Rights (HHS OCR) is the agency in charge of enforcing HIPAA and investigating PHI breaches. Data breaches caused by current and former employees impermissibly accessing PHI has been a recurring issue in OCR investigations.
Medical practices that fail to take affirmative, HIPAA-required steps to protect against employees or contractors impermissibly accessing, using, or disclosing PHI risk an OCR breach investigation, monetary penalties, and reputational harm. Implementing written policies and procedures to prevent these types of breach situations is essential. In this article, MICA discusses:
-
- Examples of employee-related PHI breach situations;
- Compliance with the HIPAA minimum necessary requirement to reduce the risk of employee-caused breaches; and
- Implementation of electronic access controls for HIPAA compliance and PHI protection.
- Examples of employee-related PHI breach situations;
Examples of Breaches Caused by Employees/Contractors
Breach reports mandated by HIPAA breach notification rules trigger OCR investigations. Following are two examples of situations OCR investigated after HIPAA covered entities reported a breach:
-
- Twenty-three security guards working in a Washington hospital emergency department used their login credentials and accessed patient records without a job-related purpose. They viewed patient names, birth dates, insurance information, addresses, and notes related to treatment.1
- After a Colorado medical center terminated an employee, the individual logged in to the facility’s computer system twice and used a web-based scheduling calendar to access PHI of over 500 patients.2 Had the facility immediately deactivated the former employee’s username and password upon termination, she would not have been able to accomplish this.
- Twenty-three security guards working in a Washington hospital emergency department used their login credentials and accessed patient records without a job-related purpose. They viewed patient names, birth dates, insurance information, addresses, and notes related to treatment.1
MICA’s Risk Team Consultants have consulted with MICA members concerned about similar potential breach situations. In one instance, a front desk employee impermissibly accessed and disclosed PHI. The employee and patient attended the same school and had mutual acquaintances. The employee shared information from the patient’s medical record with other students, including that the patient had a history of sexual abuse. The employee’s job description did not involve patient care, so she should not have had access to treatment notes.
Each of the above scenarios likely could have been avoided by implementing:
-
- Minimum necessary policies and procedures mandated by the HIPAA Privacy Rule and
- Access control policies as required by the HIPAA Security Rule.
- Minimum necessary policies and procedures mandated by the HIPAA Privacy Rule and
HIPAA and “Minimum Necessary”
To protect patient confidentiality, the HIPAA Privacy Rule sets limits on when and how much PHI can be used or disclosed. For example, the Privacy Rule permits HIPAA covered entities to disclose PHI as follows:
-
- To insurance companies or other health care professionals for treatment or payment;
- To third parties, as specified by the patient; and
- For public health purposes, to certain government agencies in charge of preventing or controlling disease.
- To insurance companies or other health care professionals for treatment or payment;
Even when a use or disclosure is permitted, the Privacy Rule’s “minimum necessary” standard applies. This standard requires covered entities like medical practices to make reasonable efforts to limit the PHI provided to that which is necessary for the particular purpose.3 The minimum necessary standard applies to external and internal uses and disclosures. Therefore, it applies to how practice employees and contractors access and use PHI.
Compliance with this standard means, in part, that medical practices must implement and enforce written policies which restrict employee access to PHI based on job description. Such policies must specify:
-
- Employees and contractors, by job title, who need PHI access to accomplish job functions;
- Categories of PHI that each job title must access to perform their duties;
- Any conditions that apply when accessing the PHI.4
- Employees and contractors, by job title, who need PHI access to accomplish job functions;
Practices can be certain that OCR will ask to examine these written policies and procedures during any investigation of a reported breach involving an employee or contractor.
Access Controls
To enforce the internal, minimum necessary restrictions discussed above, practices must implement access controls. The HIPAA Security Rule requires covered entities to develop written policies and procedures governing access controls. These policies must describe the process a covered entity implements to ensure that electronic protected health information (ePHI) is inaccessible to those who do not need it to perform their job.5
MICA’s Risk Consultants regularly offer the following tips for developing and implementing internal access control policies and procedures:
-
- Designate one person or a team to evaluate access requirements for each job title within the practice. Once you determine what information a particular job title does not need to access, you can work with IT to implement electronic access controls.
- The Security Rule requires covered entities to assign each system user a unique ID. This ID must be entered to log into systems that contain ePHI.6 Educate employees and contractors that they should not share their ID with others. To audit that access controls are working properly, practices can monitor online activity using log-in credentials.
- To avoid a potential breach situation caused by a former employee, review your employment and contract termination policies and procedures. There should be a process to ensure that the person in charge of granting and revoking system access is immediately notified of any termination. Access privileges should be cancelled immediately when an employee departs or a vendor contract is terminated.
- Designate one person or a team to evaluate access requirements for each job title within the practice. Once you determine what information a particular job title does not need to access, you can work with IT to implement electronic access controls.
[3] 45 CFR § 164.502(b)
[4] Id. at § 164.514(d)
[5] Id. at § 164.308(a)(3) & (4)
[6] Id. at § 164.312(a)(2)(i)