On February 10th, 2026, Bluesight hosted Spotlight on Privacy: Tracking High-Risk Users, a webinar featuring Holly Nierman, Director of Compliance Data Analytics at UHealth University of Miami Health System. The conversation revealed something many privacy teams experience but rarely discuss: the groups that show up most frequently in privacy violations are not what you might expect.
While most organizations default to monitoring new employees, Holly’s team discovered that effective privacy protection requires a more nuanced, data-driven approach to identifying which user groups actually warrant closer oversight.
Starting With Your Data, Not Your Assumptions
“We pulled every privacy violation that we got through PrivacyPro for the year previous and then sorted that every which way we could think of to see what trends emerged,” Holly explained during the webinar.
This methodical analysis revealed both expected and unexpected patterns. While students and community users appeared as anticipated high-risk groups, Holly’s team also uncovered other user types who were surprisingly overrepresented in the percentage of privacy violations, such as VIP or coworker categories.
Identifying underrepresented groups (examples below) is equally valuable. Their differences can reveal best practices worth replicating across your organization.
Best Practice: The Comprehensive Data Audit
One recommendation is to export a full year of case data from PrivacyPro and analyze it across multiple dimensions:
- User roles and departments: Which groups have disproportionate violation rates?
- Time of day: Are there particular windows when violations spike? At her previous institution, Holly’s team identified “the witching hour between four and six” when staff had completed their primary duties but had downtime before shift changes.
- Workstations: Are users accessing records from unexpected locations? “When you’re looking at accesses, all of a sudden you’ve got one on a workstation that doesn’t even exist in their department. Very often that can come from something like, I’m here visiting someone and I’m not getting an answer, so I’m going to look it up,” Holly shared, drawing on her clinical background.
- Historical patterns: Analyzing data for at least six months, ideally a full year, helps capture seasonal variations like new student cohorts.
A best practice shared during the webinar: “I would suggest the best time to do it would be early fall because that’s when all of your newer students have come in, and you can compare that data to last year’s new students.”
The High-Risk Users You’re Not Tracking (Yet)
While new employees remain an important monitoring category, the webinar highlighted several other groups that frequently appear in privacy violations:
Community Users
Users with broader system access across multiple facilities or departments present unique monitoring challenges. Holly tracks these users primarily through suspicion scores, which helps identify potential family member lookups and inappropriate access patterns.
Students (Medical, Nursing, Pharmacy)
Student rotations create predictable risk windows. Rather than reactive investigation, it is recommended to work with the compliance education team to provide privacy training “before they get their first access,” when it can have the greatest preventive impact.
Clinical Staff During Personal Situations
Access patterns often shift when clinical employees have family members receiving care. Workstation analysis helps identify these scenarios, when a nurse or physician accesses records from a unit where they don’t typically work.
Department-Specific Risk Profiles
Certain departments naturally access more sensitive information or have patient populations that attract inappropriate curiosity. Holly’s advice: “If you know which groups generally don’t access many [patients] and all of a sudden you’ve got somebody on there accessing four times as much, that’s worth looking at.”
Tailoring Metrics to User Categories
One of the key insights: different user groups require different analytical approaches within User Watchlist.
For community users and students: The suspicion score serves as the primary indicator, flagging potential family member access and other inappropriate patterns.
For specialized departments: Patient access counts provide the most valuable signal, especially when compared to typical baseline behavior for that role.
For individual concerns: Workstation tracking can reveal whether users are “going someplace else, maybe in a suspicious way, so that they don’t get caught.”
When reviewing her watchlists, Holly exports the data to quickly scan and “selectively pick and choose the instances with either the highest number of patients or the highest number of high suspicion scores and focus on those.” This targeted approach helps her small team maximize their impact.
From Monitoring to Education: The Long-Term Goal
“The whole point of us doing this proactively is so that we can also proactively educate those that are known to be overrepresented,” Holly emphasized. Her team’s strategy centers on prevention rather than punishment.
By identifying overrepresented groups through data analysis, privacy teams can partner with compliance education to provide targeted training. The measure of success? “Hopefully, next time we go back and look at it, they won’t be overrepresented or will be less overrepresented than they were last time.”
Q&A with Holly Nierman: Practical Insights from the Field
Q: Before User Watchlist, how were you managing high-risk EMR users, and what challenges did you face?
Holly: I would pull lists from our EMR of specific areas that are known to be higher risk, community users, students, things like that. I would periodically go through, pull out a list of everybody that fell into that role, and then do random thirty day audits within the EMR or within PrivacyPro just to see if there was anything suspicious. But that brings up challenges because I have nothing to compare it to. Short of them having the same name or something being incredibly obvious, I’m gonna miss a lot. It was a huge time investment with very little payoff. The user watch list definitely makes that ratio a lot friendlier.
Q: What advice would you give to other organizations looking to enhance their privacy monitoring processes?
Holly: I would say the biggest thing would be to do some kind of audit analysis. Export the information you can get from PrivacyPro, and then sort it “every way to Tuesday” and look for any trend you can find, whether that is a department, a time of day, workstations, or user roles, all the information you can get from that PrivacyPro export. Some things are just generally accepted to be true in most hospital organizations, but there are some things that vary from place to place based on the organization’s culture. The only way you’re gonna find that is to look at the data and to make sure you look at it for a bare minimum of six months, but hopefully a year.
Q: Has your use of the watchlist mostly led to education, or have any resulted in actual breaches?
Holly: We treat watchlist monitoring the same as a standard alert. It basically just enables us to start the clock sooner because we might catch it sooner. It has resulted in some actual breaches, but that’s not the main reason we’re doing it. The main reason we’re doing it is to curb the overall trend for overrepresented groups to get them less overrepresented.
Taking the Next Step
Effective privacy monitoring starts with understanding your organization’s unique risk landscape. Rather than relying on industry assumptions about which user groups require oversight, let your data guide your strategy.
The combination of comprehensive data analysis and automated monitoring through User Watchlist enables privacy teams to shift from reactive investigation to proactive education, ultimately reducing violations before they occur.
Ready to discover which user groups are overrepresented in your organization? Check out the User Watchlist Demo to learn more about how the feature can help you move from manual spreadsheets to intelligent, automated monitoring.