Study Finds Email Warnings Reduce Unauthorized Employee EHR Access

A recent study published in JAMA Open Network has found that prompt action taken immediately following the detection of unauthorized access to protected health information by medical staff is 95 percent effective at preventing repeat offenses. 

Healthcare data breaches are a significant problem within the healthcare sector. While major data breaches are frequently the consequence of hacking and other IT incidents, insider breaches regarding employees snooping on health records are also regular. In these cases, medical staff typically access the information of family members, friends, and colleagues. While the access to a single patient file may seem inconsequential, if unchecked, the unauthorized access could lead to a major data breach. Employees who access a single file can continue to access the information of several patients over many years if not resolved. 

A recent study called Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information: A Nonrandomized Controlled Trial, conducted by researchers at Johns Hopkins and Michigan State University has investigated the effectiveness of email warnings at preventing repeat offenses. From January 1 to July 31, 2018, researchers monitored all unauthorized access to patient medical records at an academic center. During that time period, the researchers found that 444 medical staff had examined the medical records of patients who were not under their care. 219 employees were randomly selected, and were sent an email alert the evening after their unauthorized access. Within the email, the individual was alerted that they had accessed a patient’s electronic health information without a legitimate reason, and thus were in violation of privacy regulations. The remaining 225 employees were placed in a control group and did not receive email alerts.

The email warning was extremely successful. Within 20 to 70 days of the first unlawful access, 4 out of 219 individuals who received an email warning continued to access patient information without authorization. In the control group, 90 of the 225 employees accessed patient information without consent within 20 to 70 days of the initial access. The results of which demonstrate that email warnings are 95 percent efficient in preventing repeat offenses.

“Email warning remains a critical access control measure for the medical center today”, concluded the researchers, ”adopting simple email warnings, accompanied by a PHI access control system, can substantially reduce future unauthorized access and benefit patients and health care entities.”