The Effectiveness of Email Alerting on Reducing Employees' Unauthorized Access to Protected Health Information

Protenus

Status

Completed

Conditions

Unauthorized Data Access

Treatments

Other: receiving an email

Study type

Interventional

Funder types

Industry

Identifiers

NCT05251844

email_alert_effectiveness

Details and patient eligibility

About

To assess the effectiveness of email warnings on reducing repeated unauthorized access to Protected Health Information (PHI), a randomized trial was conducted in a large academic medical center to understand the effectiveness of email warning on reducing repeated unauthorized access to PHI.

Full description

From January 1, 2018, to July 31, 2018, a large academic medical center's PHI access monitoring system flagged all unauthorized accesses to patient electronic medical records from 444 employees (all professional medical staff), who were not part of the patient's intervention team and did not have access permission. 219 employees (49%) were randomly selected to receive an email warning on the night of their access, while the remaining employees (225, 51%) served as controls. The email informed that the employee has had been identified as having accessed a patient's electronic medical record without a known work-related purpose and that unauthorized access is a privacy violation. A sample email was attached at the end of the protocol.

The system tracked all these individuals' violations within the sample period. Later on, all cases with the violators' ID and patients' ID fully de-identified (see the following excerpt as examples) were shared with researchers at John Hopkins and Michigan State for data analyses. Because researchers do not have the ability to link the data with an identifier, the study was exempted from Michigan State University's IRB review.

Violator ID Patient ID Date Intervention 01B1NSYX3CEXZ86UZXU7R9JQ4VEK R7Z8RTZQL4B9IAC13F6EXQJVWAI7 1/2/2018 No Email

01B1NSYX3CEXZ86UZXU7R9JQ4VEK R7Z8RTZQL4B9IAC13F6EXQJVWAI7 1/3/2018 No Email

Enrollment

444 patients

Sex

All

Volunteers

No Healthy Volunteers

Inclusion criteria

violators of patients' privacy rights

Exclusion criteria

Trial design

Primary purpose

Other

Allocation

Randomized

Interventional model

Parallel Assignment

Masking

Quadruple Blind

444 participants in 2 patient groups

Email warning

Experimental group

Description:

some individuals that accessed patients' data without authorization were randomly selected to receive an email warning. A sample email: Dear Colleague, The {Organization} proactive electronic record monitoring system has flagged you as having accessed the electronic patient record of {Patient_Name} on {Case_Event_Date}. A clear work-related purpose has not been identified for this access, and there are no approvals in place by the {Organization} Privacy Office to allow access to this record for personal purposes in accordance with A065. {Organization} takes the privacy of patient information very seriously. The {Organization} Privacy Office is now investigating this access as a potential privacy breach. This potential noncompliance needs to be resolved immediately. To help determine whether a privacy breach has occurred, please respond to this email with answers to the following questions no later than 5 days from the date of this email...omitted due to length

Treatment:

Other: receiving an email

No eamil warning

No Intervention group

Description:

individuals that were flagged as accessing patients' data without authorization on the same day as the experimental group were used as the control group

Trial contacts and locations

Data sourced from clinicaltrials.gov

Clinical trials

Find clinical trials Trials by location

Research sites

Find research sites Learn about CTV for professionals

Resources

Contact CTV support

Legal

Privacy Notice Terms