In healthcare, trust is everything. Patients share their most private information with us, expecting it will remain confidential. When staff members peek into records without a valid work purpose—known as snooping—that trust is broken.

What is snooping?

Looking at someone’s personal information without having an authorized purpose to access that information to do your job is known as ‘snooping’.

Even when you are “just looking” at personal information but don’t share that information with anyone else, this is still a breach of confidentiality. It is illegal.

When there is an offence under the privacy legislation, like the Health Information Act, there may be an investigation, charges and court appearances, fines, penalties, and loss of employment.

Snooping is entirely preventable.

Let’s take a look at the five proactive steps that you can take today to prevent employee snooping.

Step 1. Be a privacy champion

Every clinic needs a designated privacy officer to oversee policies, answer questions, and ensure safeguards are in place. Build privacy into your policies, procedures, and daily workflows. Make privacy a visible priority so staff understand their responsibilities.

You should have these identified in your policies and procedures and your health information manual. Make sure that you name a privacy officer. By default, in Alberta, the custodian, the health care provider, is the privacy officer. But the custodian can also name someone else, a “responsible affiliate”, to be the privacy officer for the organization.

Step 2. Train regularly

Healthcare practices must provide privacy awareness training to all of their employees at their orientation. Don’t assume new hires already understand privacy rules. Provide orientation training to everyone—including non-clinical staff who may overhear or see personal health information.

Follow up with refresher training throughout the year, especially when staff take on new roles or technologies. Use case studies, quizzes, or even news stories about real breaches to keep awareness alive.

Remember, we need to train patients, too. We need to take the time to explain to them about how their information will be collected, used and disclosed, and who else may have access to their information. Inform patients how they can access their own PHI and let them know that they can consult your privacy officer if they have concerns or complaints about how their PHI is being handled.

Step 3. Implement reasonable safeguards

Make it easier for staff to “do the right thing”:

  • Administrative – policies, confidentiality agreements, training.
  • Technical – role-based access, audit logs, secure log-ins.
  • Physical – locked filing cabinets, controlled keys, proper shredding.

These safeguards reduce both temptation and opportunity for snooping.

Step 4. Monitor activity

Prevent Snooping

Staff are less likely to snoop when they know privacy is being monitored by their supervisor, co-worker, or privacy officer.

Regularly review audit logs, watch for unusual access (such as staff viewing VIP records), and conduct monthly privacy and security audits.

Step 5. Apply consequences

Written sanctions and discipline policy are required both as a strong deterrent to snooping and to facilitate the quick response to a privacy incident.

Responses should be consistent and fair, ranging from retraining and written warnings to termination and mandatory breach notifications when necessary.

Snooping is a privacy breach, and it will require investigation and reporting. Your written privacy breach policies, procedures and forms will help you to respond quickly to a snooping incident.

5 steps to prevent employee snooping

Preventing snooping isn’t only about compliance—it’s about protecting relationships. By making privacy a shared responsibility, you build trust with patients and respect among your team, while saving time and money through efficient practices.

Be a privacy champion. Take steps today to prevent employee snooping in your clinic.

Need help getting started?

Join our Practice Management Success Membership for templates, training, and step-by-step guidance to strengthen your privacy management program.

Jean L. Eaton, BA Admin (Healthcare), CHIM, Information Managers

Originally published by Information Managers. Reprinted with permission.

 

The views expressed in this article are the author’s alone and do not necessarily represent those of CharityVillage.com or any other individual or entity with whom the authors or website may be affiliated. CharityVillage.com is not liable for any content that may be considered offensive, inappropriate, defamatory, or inaccurate or in breach of third-party rights of privacy, copyright, or trademark.