Respecting Patient Privacy: A Reminder About Proper Access to Records

As your HIPAA compliance partner, we want to remind all staff that unauthorized access to patient records—also known as “snooping”—is a serious HIPAA violation. Even in small, tight-knit practices, patient privacy must always be respected. Curiosity is not a valid reason to look at someone’s protected health information (PHI), and doing so can lead to termination, fines, and permanent consequences for the employee and the practice.

What Is Snooping?

Snooping is any access to PHI without a job-related reason. Common examples include:

• Looking up your neighbor’s upcoming appointment.
• Accessing your ex-partner’s chart out of curiosity.
• Viewing your coworker’s medication list just because you can.
• Inspecting VIP patient records.

Even if you don’t print, share, or speak about the information, accessing a patient’s record without a legitimate work need is still a HIPAA violation.

Why It Matters

The HIPAA Privacy Rule is clear: patients have a right to keep their health information confidential. That right applies whether the patient is a stranger, a friend, or someone you see at the grocery store.

Consequences of snooping can include:

• Termination of employment.
• Fines and possible individual liability.
• Mandatory reporting to the Department of Health and Human Services (HHS).
• Loss of trust from patients and community members.

Real Example: Small Practice, Big Consequences

In a recent enforcement action involving a small orthopedic practice in Georgia, a staff member was caught accessing the records of several individuals, including a former classmate and a local business owner, out of curiosity. The breach was identified during a routine access audit.

Although the employee claimed they “just wanted to see” what happened with a former patient, the practice was required to report the incident to HHS and notify the affected individuals. The employee was terminated immediately, and the incident triggered an investigation that took several months to resolve. While the practice avoided major fines due to quick internal response, the reputational impact in the small community was significant.

This case underscores a key message: snooping in a small practice is just as serious as in a large hospital.

How to Protect Yourself and avoid unintentional violations:

• Only access records when it’s part of your assigned duties.
• Do not look at the PHI of family, friends, or anyone you’re not directly treating or supporting.
• Keep login credentials private and log out when stepping away.
• Report any suspected unauthorized access immediately.

We understand that in small practices, it can feel like “everyone knows everyone.” But that makes patient privacy even more critical. Patients trust us to protect their information, and HIPAA requires that we do.

HIPAA compliance starts with daily decisions. Snooping is never worth the risk.