The St. Charles Health System may think they’ve met all their obligations in their handling of an insider snooping incident, but Deschutes County District Attorney John Hummel says the matter should have been reported to them for criminal investigation.
Now that’s interesting to think about. If a covered entity is convinced that an employee snooped just out of curiosity and not for any intended misuse of information for tax fraud, etc., should the covered entity be referring the matter to law enforcement for criminal investigation?
Would employees be more hesitant about snooping if they knew their employer could not just handle an incident internally and their name and actions would be referred for a criminal investigation?
And would employers/covered entities be even more motivated to prevent insider snooping if they knew they had to refer incidents for criminal investigation if more than X number of patients were involved?