One of the most worrying concerns DataBreaches and Protenus reported each year when reporting on breaches of health data was the insider threat. Often the insider threat takes the form of “snooping” out of curiosity. At other times, it may have more nefarious motives, such as obtaining information on an adversary or relative to embarrass them publicly on social media or to use information to perpetrate identity theft or fraud. In Report on Patient Privacy 25, no. 11 (November, 2025), Theresa Defino addresses the snooping issue by discussing a presentation by UHealth (the University of Miami Health System). Unfortunately, as Defino reports, UHealth was not particularly forthcoming in providing details about a significant incident it experienced.
If the whole point of networking is to share experiences and learn from each other, UHealth’s reluctance to be more transparent is not particularly admirable. Had they acknowledged what went wrong in their preventive approach, how they might have been able to detect it sooner, and what entities can do to prevent what happened to them, the presentation would probably have been even more helpful.
That said, read Defino’s report, which includes:
Point Is ‘Not to Fire’ People
Tuya added that the Privacy Rule “is clear that patients have a right to keep their health information confidential, and that right applies whether the patient is a stranger, a friend, someone you see at the grocery store or someone that you see on TV. Addressing employee snooping also matters because it can lead to some serious consequences for employees and organizations.”
“Something that we see a lot is…access to a child’s record,” Tuya said, where the employee uses their work credentials to access the electronic health record (EHR) rather than through being an authorized user via the patient portal, or a spouse checks on an appointment for a partner.
Many institutions “just take the position that all personal access is inappropriate,” but they also may apply lesser disciplinary measures for this sort, Tuya said.
It could happen that a provider accessing a family member’s record is actually caring for that individual, so it will be crucial to know if this is the case and whether it is allowed by the organization’s bylaws, Lawrence said. Similarly, that provider might call in a prescription. “It’s probably not a privacy violation,” but it could violate other policies, Lawrence said.
When crafting a zero-tolerance or a low-tolerance policy that may lead to termination, “you want that termination language in there at some point,” Lawrence said. But she added that the “whole point of doing this is not to fire the most people. The point of you doing this is almost a little fear” generation, and sending a message so that employees are “taking this seriously.”
But under UHealth’s policy, not every violation results in termination.
That seems appropriate — it is important to determine what the individual’s motivation was and what their understanding was of policy and procedures.
Read more at Report on Patient Privacy 25, no. 11 (November, 2025), republished on JDSupra.