Comment Re:Or they made a mistake (Score 1) 427
Don't be obtuse. The name John F. Kennedy was used to illustrate a point, you know an example.
The point of having a fake record would be that it wouldn't have NULL values for the fields. It would appear as a normal record. The fact that it shows up on legitimate searches isn't a problem, and would be a legitimate task for someone in Quality Control or someone involved in reporting to the State or Federal Databases. It all boils down to "need to know." If you are looking in a patient's record and you have no need to know (not treating, billing etc...) you are in violation of HIPAA. The whole point of the honeytoken is to discover someone that is possibly engaging in an unauthorized activity. Could it be a mistake? It sure could, and little would happen after it was investigated. If the same person kept making these mistakes, or made a number of them in a short period of time then it would be time for some training and / or HR procedures ( including termination for repeat offenders).
Each HIPAA violation is a 100.00 fine. Pretty cheap until an entire database is compromised. A local hospital in my area had a temp nurse that also owned her own business. She queried the database for names and SSN's. Once she had them she billed medicaid for services her business never performed. The cost to taxpayers was in the millions. A few honeytokens may have tipped the hospital off, before the feds knocked on the door.
This was pre April 2003 so the HIPAA privacy rule wasn't in force; had it been, that hospital would have had a for sale sign out front.
The point of having a fake record would be that it wouldn't have NULL values for the fields. It would appear as a normal record. The fact that it shows up on legitimate searches isn't a problem, and would be a legitimate task for someone in Quality Control or someone involved in reporting to the State or Federal Databases. It all boils down to "need to know." If you are looking in a patient's record and you have no need to know (not treating, billing etc...) you are in violation of HIPAA. The whole point of the honeytoken is to discover someone that is possibly engaging in an unauthorized activity. Could it be a mistake? It sure could, and little would happen after it was investigated. If the same person kept making these mistakes, or made a number of them in a short period of time then it would be time for some training and / or HR procedures ( including termination for repeat offenders).
Each HIPAA violation is a 100.00 fine. Pretty cheap until an entire database is compromised. A local hospital in my area had a temp nurse that also owned her own business. She queried the database for names and SSN's. Once she had them she billed medicaid for services her business never performed. The cost to taxpayers was in the millions. A few honeytokens may have tipped the hospital off, before the feds knocked on the door.
This was pre April 2003 so the HIPAA privacy rule wasn't in force; had it been, that hospital would have had a for sale sign out front.
