The Effectiveness of Email Alerting on Reducing Employees' Unauthorized Access to Protected Health Information

Not Applicable

Completed

• Conditions: Unauthorized Data Access
• Interventions: Other: receiving an email

• Registration Number: NCT05251844
• Lead Sponsor: Protenus, Inc.

Brief Summary

To assess the effectiveness of email warnings on reducing repeated unauthorized access to Protected Health Information (PHI), a randomized trial was conducted in a large academic medical center to understand the effectiveness of email warning on reducing repeated unauthorized access to PHI.

Detailed Description

From January 1, 2018, to July 31, 2018, a large academic medical center's PHI access monitoring system flagged all unauthorized accesses to patient electronic medical records from 444 employees (all professional medical staff), who were not part of the patient's intervention team and did not have access permission. 219 employees (49%) were randomly selected to receive an email warning on the night of their access, while the remaining employees (225, 51%) served as controls. The email informed that the employee has had been identified as having accessed a patient's electronic medical record without a known work-related purpose and that unauthorized access is a privacy violation. A sample email was attached at the end of the protocol.

The system tracked all these individuals' violations within the sample period. Later on, all cases with the violators' ID and patients' ID fully de-identified (see the following excerpt as examples) were shared with researchers at John Hopkins and Michigan State for data analyses. Because researchers do not have the ability to link the data with an identifier, the study was exempted from Michigan State University's IRB review.

Violator ID Patient ID Date Intervention 01B1NSYX3CEXZ86UZXU7R9JQ4VEK R7Z8RTZQL4B9IAC13F6EXQJVWAI7 1/2/2018 No Email

01B1NSYX3CEXZ86UZXU7R9JQ4VEK R7Z8RTZQL4B9IAC13F6EXQJVWAI7 1/3/2018 No Email

Study Timeline

• Study Start: 2018-01-01
• Primary Completion: 2018-07-31
• Study Completion: 2021-09-30
• Status Verified: 2022-02
• Study First Submitted: 2022-02-01
• Study First Submitted QC: 2022-02-20
• Last Update Submitted: 2022-02-20
• Study First Posted: 2022-02-23
• Last Update Posted: 2022-02-23

Recruitment & Eligibility

• Status: COMPLETED
• Sex: All
• Target Recruitment: 444

Inclusion Criteria

• violators of patients' privacy rights

Exclusion Criteria

Study & Design

• Study Type: INTERVENTIONAL
• Study Design: PARALLEL

Arm && Interventions

Group	Intervention	Description
Email warning	receiving an email	some individuals that accessed patients' data without authorization were randomly selected to receive an email warning. A sample email: Dear Colleague, The {Organization} proactive electronic record monitoring system has flagged you as having accessed the electronic patient record of {Patient_Name} on {Case_Event_Date}. A clear work-related purpose has not been identified for this access, and there are no approvals in place by the {Organization} Privacy Office to allow access to this record for personal purposes in accordance with A065. {Organization} takes the privacy of patient information very seriously. The {Organization} Privacy Office is now investigating this access as a potential privacy breach. This potential noncompliance needs to be resolved immediately. To help determine whether a privacy breach has occurred, please respond to this email with answers to the following questions no later than 5 days from the date of this email...omitted due to length

Primary Outcome Measures

Name	Time	Method
the number of subsequent unauthorizated access violations	12 weeks starting from the first time a violation was flagged	The investigators monitored and collected all the subsequent unauthorized access violations for both the experiment and the control group

Trial Locations

Locations (1)

Protenus, Inc.; 🇺🇸 Baltimore, Maryland, United States