A nurse's ex-boyfriend from high school just had an appointment with a psychiatrist in the health care facility where she works, and she wants to sneak a quick peek at his medical paperwork. And perhaps because it's so alluring to look at another's health records, it's happening a lot more than we think, health care data privacy experts say.

“It's not just when the VIPs or celebrities are involved,” said Neal Eggeson, a plaintiffs lawyer who focuses on privacy and Health Insurance Portability and Accountability Act violations. “I think a shocking percentage of us would do it without too much hesitation.”

But instances of so-called medical record snooping for curiosity's sake are just as illegal as, for example, massive data breaches in which millions of patients' sensitive health data are exposed, the experts add.

This conduct may recently have cost dozens of workers at Northwestern Memorial Hospital in Chicago their jobs after they allegedly improperly viewed the medical records of “Empire” star Jussie Smollett, who was treated at the emergency room after he claimed he was attacked by two men. One of the nurses has said the incident was a misunderstanding, that she—and likely many other of the fired employees—simply scrolled past Smollett's records when looking for another patient's information.

When asked about the incident, a hospital spokesperson said in an email that company policy prevented him from commenting on the employment status of any employee.

HIPAA provides that a health care provider may access or use a patient's medical records only for treatment, health care operations or payment, meaning that incidents of unlawful snooping expose the provider to civil liability—and the possibility of large fines—under HIPAA, Eggeson said, adding that state law also may govern in some jurisdictions.

Given that HIPAA does not allow a private cause of action, Eggeson said “one has to come up with more creative ways to sue for a HIPAA violation,” often a state law cause of action such as medical malpractice or breach of a professional duty.

“If this is my health care provider, then a standard of care is set for protecting my health care and my confidentiality,” he said. “Of course then hospitals will turn around and say we have all sorts of policies [prohibiting this behavior] in place.”

But best practices to help health care providers avoid liability for unauthorized snooping by employees should go beyond just the creation of policies, said Helen Oscislawski, founder of health care law firm Oscislawski LLC.

If a health care facility is working with a technology vendor on its electronic records system, for example, it should ask if there are options such as a pop-up window that requires the individual to attest to the fact that he or she is treating the patient and thus is authorized to have access to the records before granting access, Oscislawski said.

She added policies around this issue must make clear what the employer's expectations are and what it is prepared to do in the case of a violation, noting posters and other visual aids can provide reminders of these expectations.

Training also must make employees “very keenly aware” of the repercussions for this behavior, Oscislawski said.

Finally, she added, expectations and policies must be carried through by way of sanctions and appropriate enforcement.

“There is a compliance piece that puts the hospital on the hook, and failure to fall short of reasonable and appropriate safeguards and best practices on that would open [providers] up to potential HIPAA enforcement,” she said.