The Effectiveness of Email Alerting on Reducing Employees' Unauthorized Access to Protected Health Information

Effectiveness of Email Alerting on Reducing Hospital Employees' Unauthorized Access to Protected Health Information: A Nonrandomized Controlled Trial

To assess the effectiveness of email warnings on reducing repeated unauthorized access to Protected Health Information (PHI), a randomized trial was conducted in a large academic medical center to understand the effectiveness of email warning on reducing repeated unauthorized access to PHI.

Study Overview

• Status: Completed
• Conditions: Unauthorized Data Access
• Intervention / Treatment: Other: receiving an email

Detailed Description

From January 1, 2018, to July 31, 2018, a large academic medical center's PHI access monitoring system flagged all unauthorized accesses to patient electronic medical records from 444 employees (all professional medical staff), who were not part of the patient's intervention team and did not have access permission. 219 employees (49%) were randomly selected to receive an email warning on the night of their access, while the remaining employees (225, 51%) served as controls. The email informed that the employee has had been identified as having accessed a patient's electronic medical record without a known work-related purpose and that unauthorized access is a privacy violation. A sample email was attached at the end of the protocol.

The system tracked all these individuals' violations within the sample period. Later on, all cases with the violators' ID and patients' ID fully de-identified (see the following excerpt as examples) were shared with researchers at John Hopkins and Michigan State for data analyses. Because researchers do not have the ability to link the data with an identifier, the study was exempted from Michigan State University's IRB review.

Violator ID Patient ID Date Intervention 01B1NSYX3CEXZ86UZXU7R9JQ4VEK R7Z8RTZQL4B9IAC13F6EXQJVWAI7 1/2/2018 No Email

01B1NSYX3CEXZ86UZXU7R9JQ4VEK R7Z8RTZQL4B9IAC13F6EXQJVWAI7 1/3/2018 No Email

• Study Type: Interventional
• Enrollment (Actual): 444
• Phase: Not Applicable

Contacts and Locations

Study Locations

• United States
  • Maryland
    • Baltimore, Maryland, United States, 21231
      • Protenus, Inc.

Participation Criteria

Eligibility Criteria

• Ages Eligible for Study: Child; Adult; Older Adult
• Accepts Healthy Volunteers: No
• Genders Eligible for Study: All

Description

Inclusion Criteria:

• violators of patients' privacy rights

Exclusion Criteria:

-

Study Plan

How is the study designed?

Design Details

• Primary Purpose: Other
• Allocation: Randomized
• Interventional Model: Parallel Assignment
• Masking: Quadruple

Number of Arms

2

Arms and Interventions

Participant Group / Arm	Intervention / Treatment
Experimental: Email warning; some individuals that accessed patients' data without authorization were randomly selected to receive an email warning. A sample email: Dear Colleague, The {Organization} proactive electronic record monitoring system has flagged you as having accessed the electronic patient record of {Patient_Name} on {Case_Event_Date}. A clear work-related purpose has not been identified for this access, and there are no approvals in place by the {Organization} Privacy Office to allow access to this record for personal purposes in accordance with A065. {Organization} takes the privacy of patient information very seriously. The {Organization} Privacy Office is now investigating this access as a potential privacy breach. This potential noncompliance needs to be resolved immediately. To help determine whether a privacy breach has occurred, please respond to this email with answers to the following questions no later than 5 days from the date of this email...omitted due to length	Other: receiving an email; The email informed that the employee has had been identified as having accessed a patient's electronic medical record without a known work-related purpose and that unauthorized access is a privacy violation.
No Intervention: No eamil warning; individuals that were flagged as accessing patients' data without authorization on the same day as the experimental group were used as the control group

What is the study measuring?

Primary Outcome Measures

Outcome Measure	Measure Description	Time Frame
the number of subsequent unauthorizated access violations	The investigators monitored and collected all the subsequent unauthorized access violations for both the experiment and the control group	12 weeks starting from the first time a violation was flagged

Collaborators and Investigators

• Sponsor: Protenus, Inc.
• Investigators: Study Chair: Nick Culbertson, BS, Protenus, Inc.

Study record dates

Study Major Dates

• Study Start (Actual): January 1, 2018
• Primary Completion (Actual): July 31, 2018
• Study Completion (Actual): September 30, 2021

Study Registration Dates

• First Submitted: February 1, 2022
• First Submitted That Met QC Criteria: February 20, 2022
• First Posted (Actual): February 23, 2022

Study Record Updates

• Last Update Posted (Actual): February 23, 2022
• Last Update Submitted That Met QC Criteria: February 20, 2022
• Last Verified: February 1, 2022

More Information

Terms related to this study

• Other Study ID Numbers: email_alert_effectiveness

Plan for Individual participant data (IPD)

• Plan to Share Individual Participant Data (IPD)?: No
• IPD Plan Description: The data were collected from a large academic medical center that wanted to remain anonymous

Drug and device information, study documents

• Studies a U.S. FDA-regulated drug product: No
• Studies a U.S. FDA-regulated device product: No