Data breaches of protected health information (PHI) create substantial financial, reputational, and clinical risks for patients and health care entities.1-4 Prior research5 found that large academic medical centers face disproportionately higher PHI breach risks than other hospitals. Approximately one quarter of PHI breaches were caused by employees’ unauthorized access to PHI, in which the employee lacked authorization, permission, or other legal authority to access the data.6 A nonrandomized controlled trial was conducted in a large academic medical center to understand the effectiveness of email warning on reducing repeated unauthorized access to PHI.
This study was exempt from institutional review board approval from Michigan State University because it does not meet the criteria for human participants research (no identifiable private information or identifiable biospecimens were accessed). The study followed the Transparent Reporting of Evaluations With Nonrandomized Designs (TREND) reporting guideline.
From January 1 to July 31, 2018, a large academic medical center’s PHI access monitoring system flagged all unauthorized accesses to patient electronic medical records from 444 employees (all professional medical staff), who were not part of the patient’s intervention team and did not have access permission. A total of 219 employees (49%) were randomly selected to receive an email warning on the night of their access, while the remaining employees (225, 51%) served as controls (Figure 1). The email stated that the employee had been identified as having accessed a patient’s electronic medical record without a known work-related purpose and that unauthorized access is a privacy violation.
For the intervention group (receiving an email warning) and the control group (not receiving an email warning), the frequency of subsequent unauthorized access for the same employee during January 1 to July 31, 2018, was compared. All unauthorized access was later verified as valid PHI breaches (neither work-related nor patient-authorized).
The academic medical center prohibits employees from accessing the records of family members, coworkers, friends, or other acquaintances without prior written authorization. To preserve the trial’s validity, no disciplinary action was taken during the trial period. Upon the conclusion of the trial, disciplinary actions were taken on all identified offenders following the institution’s access policy.
The 2-sided t test was used to compare medians in unreimbursed Medicaid costs of nonprofit and for-profit hospitals. Statistical significance was set at P < .001. Statistical analysis was conducted using SAS statistical software version 9.4 (SAS Institute). Data were analyzed from August to December 2021.
A total of 444 employees accessed data for which they were not part of the patient’s intervention team and did not have access permission. From January 1 to July 31, 2018, only 4 of the 219 employees (2%) in the intervention group committed unauthorized access for a second time (Figure 2A), while 90 of the 225 employees (40%) in the control group did so, representing a 95% effectiveness of email warning in reducing repeated offenses (2% vs 40%). The mean frequency of unauthorized access was 1.02 in the intervention group vs 2.45 in the control group (difference, 1.43; 95% CI, 1.01-1.85; P < .001). In the intervention group, 4 repeated offenses occurred between 20 and 70 days after the initial unauthorized access (Figure 2B). In the control group, 326 repeated violations occurred, with 88 (27%) within 10 days after the initial unauthorized access and 56 (17%) after 90 days.
This nonrandomized controlled trial found that when left unchecked, hospital employees repeatedly committed unauthorized access to PHI, creating substantial financial, reputational, and clinical risks for the patient and the organization.1 Avoiding repeated access is a critical measure for risk mitigation. Email warning after initial unauthorized access is 95% effective in preventing repeated unauthorized access to PHI. Email warning remains a critical access control measure for the medical center today.
The results of this study might not be completely generalizable to other settings. The study is also limited by the lack of data on the prevalence of using email warning to contain unauthorized access among hospitals. Adopting simple email warnings, accompanied by a PHI access control system, can substantially reduce future unauthorized access and benefit patients and health care entities. The constantly evolving landscape of PHI breaches requires continuous risk management effort.
Accepted for Publication: February 24, 2022.
Published: April 13, 2022. doi:10.1001/jamanetworkopen.2022.7247
Open Access: This is an open access article distributed under the terms of the CC-BY License. © 2022 Jiang JX et al. JAMA Network Open.
Corresponding Author: Ge Bai, PhD, CPA, Johns Hopkins Carey Business School, Johns Hopkins Bloomberg School of Public Health, 100 International Drive, Baltimore, MD 21202 (gbai@jhu.edu).
Author Contributions: Dr Jiang and Mr Culbertson had full access to all of the data in the study and take responsibility for the integrity of the data and the accuracy of the data analysis.
Concept and design: All authors.
Acquisition, analysis, or interpretation of data: All authors.
Drafting of the manuscript: All authors.
Critical revision of the manuscript for important intellectual content: All authors.
Statistical analysis: Jiang.
Obtained funding: Bai.
Administrative, technical, or material support: All authors.
Supervision: Bai.
Conflict of Interest Disclosures: Mr Culbertson reported being the chief executive officer of Protenus; in addition, Mr Culbertson reported holding patent 11 183 281, issued to Protenus. No other disclosures were reported.
Additional Information: ClinicalTrials.gov identifier NCT05251844.