Some facilities use "honeypots" as bait to catch snooping staff members who are in violation of HIPAA. "Honeypots," also referred to as "honeynuts," are fictitious medical records that IT monitors to determine if anyone is accessing them.
The terms honeypots and honeynuts derive from the notion that if you want to catch birds, you scatter birdseed. Use these tips regarding honeypots to catch snoopers and respond accordingly:
- Gain executive sponsorship. "Using a honeypot implicitly communicates we don't trust our staff, even though we know that insider snooping is by far the most common cause of privacy or security breaches," John R. Christiansen, founder of Christiansen IT Law in Seattle, says. You need to have executive sponsorship willing to back you in the event that the use of honeypots results in controversy.
- Get HR buy-in. HR must be looped in to ensure that it will take appropriate action if you catch someone accessing records inappropriately, Christiansen says, adding that "legal counsel should vet the whole program to make sure legal risks are avoided."
- Conduct a risk assessment of your systems and equipment. Then create records for five media-centric personalities, making them as real as possible. Don't be too obvious. For instance, Madonna would probably not end up in a central Montana facility.
- Beware of entrapment. Honeypots are analogous to entrapment; they're bait that wouldn't work if someone wasn't predisposed to snooping, Christiansen says, because, as W.C. Fields said, "You can't cheat an honest man." Organizations should be certain that staff members know about policies that prohibit snooping and that system configuration prevents accidental access.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.