Employees of health care providers do not have carte blanche authority to access patient records. Any access of protected health information must be for an appropriate use, either the provision of care to the patient, one of the other authorized uses. When employees misuse PHI, the Health and Human Services Office for Civil Rights (OCR) can and will penalize the organization.
McDermott Will & Emery, posted on National Review, writes about one such recent settlement with OCR:
The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”