Friday, April 11, 2008

Medical Privacy - "just me being nosy"


UCLA is facing a bit of a crisis as it reveals that more than 60 patient's health records had been improperly accessed by an employee that had no right to view those confidential records. Most of these records were celebs (Brittney Spears, Tom Cruise, George Clooney, Farah Fawcett, Maria Shriver) or other high-profile people. The fired employee who snooped says "it was just me being nosy".

All hospitals and doctors follow HIPPA (Health Insurance Portability and Accountability Act) guidelines that should protect patients. They are allowed to share confidential health information only with other care givers that have a "need to know" for the benefit of patient care. But all the regulations and guidelines in the world cannot fully protect privacy. Access to records, whether paper or electronic, cannot be fully secured.

I don't know that more laws are the answer. The electronic health record does have the ability to block from view anyone who is not authorized to see a certain record. There is also a footprint left for every viewer. I think that will be our best way to protect patients privacy in the future.

4 comments:

Anonymous said...

How does this electronic "footprint" work in protecting privacy?

tracey said...

I agree that the answer is not necessarily more laws. For those nosey enough to snoop, the threat of "unintentional accountability" - the footprint they leave - may be a greater incentive to stay out. Ideally, if the current rules are consistently enforced, coupled with the footprint that could get them fired from their current position, it could provide greater incentive to play by the rules. Unfortunatly, there will always be those who don't want to play nice.

Healthnut said...

Nothing is a guarantee. 40000 patients' PERSONAL (not medical) data including SSI and #s were stolen at Cornell recently according to this NY Times article, "Patients’ Data Stolen, Hospital Says"

http://www.nytimes.com/2008/04/12/nyregion/
12records.html?em&ex=1208145600&en=ed292ac
58106b7dc&ei=5087%0A

Jonathan said...

Many institutions, in addition to medical establishments, are faced with the dilemma that an unauthorized access to confidential information is difficult to differentiate from an authorized access. Banks, for instance, face this issue.

How do companies keep authorized individuals from making unauthorized accesses to confidential data? This situation can be likened to a parent trying to exert control over their kid’s web surfing habits. A parent, through a program, can create a record of every website their child has visited. The child’s knowledge that such record keeping is taking place, in and of itself, will likely provide a deterrent against visits to “unauthorized” websites.

So it is for the employee of a holder of confidential information. The employee knows every access to confidential data is being recorded and that an audit of such access will likely occur at some point, and while an audit may or may not immediately reveal illegal behavior, ultimately the release of any confidential information can be traced to those who accessed it.

Thus, any institution is reliant upon the honesty of the employee and the fact that every access, authorized or not, is being recorded. The very fact that the leaker of the UCLA hospital records was identified speaks to the effectiveness of computerized audit records. More security can likely be obtained by more frequent automated, intelligent audits. You just can’t ever have perfect security. Even intelligence agencies have leaks.