A Colorado Springs city health employee recently accused of inappropriately accessing about 2,500 Memorial Health System patient records claimed that “it’s pretty damn common” for medical professionals to peek at files for unwarranted reasons.
“Common” might be overstating things, but statistics suggest it happens more often than patients might realize.
Since 2008, Memorial Health System has had 22 employees who either resigned or were fired in connection with patient privacy issues, including a woman who lost her job earlier this year for breaching 135 patient records to create a database of her friends’ birthdays. Penrose-St. Francis Health Services declined to provide information on breaches at its facilities or discuss the issue.
Nationwide, the U.S Department of Health and Human Services’ Office for Civil Rights has recorded 292 incidents of electronic medical record breaches involving 500 or more patients since 2009. That excludes the hundreds, if not thousands, of incidents that don’t meet the 500-patient threshold for public reporting.
Many of the incidents involve the theft or loss of computers or papers, but the top problem year after year since 2003 involves someone accessing private patient information for no valid medical or business-related reason. Advocates for patient privacy say the incidents point to shortcomings in security and technology that are supposed to protect patient privacy and help medical institutions comply with the Health Insurance Portability and Accountability Act of 1996 — HIPAA.
“The rate of unauthorized people looking at records in this country and other countries is incredibly high,” said Dr. Deborah Peel, founder and board chair of Patient Privacy Rights, an Austin, Texas-based nonprofit formed in 2004 to educate consumers about medical privacy issues and advocate for policy changes to protect them. “The vast majority of American hospitals and providers still have data that’s not even encrypted. This is what companies who go in and clean up the data tell me: that 20 percent of the top entities are interested in data protection, and the rest of them aren’t.”
A 2007 Government Accountability Office study indicated that most breaches don’t result in identity theft, but the Institute of Medicine of the National Academy of Sciences cites studies that outline other ways patients can be harmed if someone snoops into their health records, which typically contain not only medical information, but personal information such as Social Security numbers and addresses.
“When personally identifiable health information is disclosed to an employer, insurer, or family member, for example, the disclosure can result in stigma, embarrassment, and discrimination,” the Institute of Medicine said in a 2009 report. “For example, the disclosure that an individual is infected with HIV or another type of sexually transmitted infection can cause social isolation and/or other psychologically harmful results.”
A Memorial spokesman said patient privacy is taken seriously, and Penrose-St. Francis emphasizes that on it website. Staff gets repeated training on privacy issues, and most health professionals, whether they work in a hospital or other medical setting, know the law.
“It’s like hospital 101: You don’t access records unless you’re directly involved in a patient’s care,” said a Colorado Springs nurse whose own electronic medical records were breached by the Memorial employee who was looking up birthdays. The nurse asked not to be identified.
But human nature sometimes gets the best of the most highly trained professional. They may want to see why a neighbor was taken to a hospital, or try to get dirt on an ex-spouse.
“Even though these professionals are trained in this, for whatever reason — their curiosity or snoopiness, or sometimes something more malignant — prevails over their ethics and what they know they shouldn’t do,” Peel said.
John Wyckoff, director of compliance and privacy officer for Memorial, said the 22 cases that resulted in firings or resignations mostly involved employees looking into the records of friends and family. “Curiosity is essentially what it comes down to,” he said.
Curiosity is apparently what led to a $865,500 fine levied earlier this month against the University of California at Los Angeles Health System, where employees “repeatedly and without permissible reason” looked at the records of two celebrity patients, according to the Office for Civil Rights. The patients weren’t named, but the Los Angeles Times reported that hospital employees are known to have accessed medical records of Britney Spears, Farrah Fawcett and Maria Shriver, among others.
Curiosity also resulted in the prosecution of three employees of a Little Rock, Ark., hospital, including a doctor, after they accessed records of a TV personality who was beaten in her home and died at the hospital. The doctor said he wanted to determine the accuracy of a news report about the woman. The three admitted they were aware of and had received training on HIPAA rules.
It doesn’t appear that Colorado Springs nurse Lori Niell was trying to get the goods on some high-profile person in town, but police are investigating allegations that she accessed about 2,500 records of Memorial patients, even though she doesn’t work there. Niell has acknowledged using the Physician Link system to look at records, but denies it involved that many, and she said she was doing it for personal reasons, such as to look up a lost phone number for a friend.
“I guarantee that accessing the database for stuff like that is rampant in the medical community,” she said last week. “If they are going to get me for that, they would have to get a tremendous number of people for that.”
Faced with the possibility that even one employee may inappropriately access patient information, hospitals must do more to beef up security, Peel said. Unfortunately, she said, most data systems aren’t designed to provide complete privacy, leaving them vulnerable to the prying eyes of any medical worker with access. Most hospitals have thousands of such workers, she said.
“They built the systems backwards,” she said. “They should be designed where everyone’s locked out, not where everyone can get through. It’s a giant system set up to allow thousands and thousands of strangers to access and use our records.”
Memorial has about 5,000 authorized users of Physician Link, said hospital spokesman Brian Newsome, and compliance director Wyckoff said the hospital system meets all federal requirements for patient privacy. But because of the incident involving Niell, which came to light on May 20 and is said to be Memorial’s worst-ever breach, hospital officials put together a task force to improve security. Some measures identified by the group have been implemented, Wycoff said, and the hospital is looking into software to better alert security officials when there’s unusual activity in the data system.
The hospital also is required to notify patients whose records were breached, and they’re advised to obtain credit reports, review credit card information and contact police if they want to pursue a complaint. But courts have determined they don’t have the right to sue, said assistant city attorney Dale Agathe.
Peel would like to see a system where patients could establish their own rules regulating who has access to their information.
“Not every doctor needs to know the same information about you,” she said.
Wyckoff and Agathe, however, said patients need to consider what might happen if they end up in the emergency room, and a doctor can’t access their records to determine if they have underlying conditions or are taking a medication that could affect their treatment. Protecting patient privacy while giving medical staff the information they need is a balancing act for security officials, they said.
“If an ambulance brings them to the emergency department and we can’t get into their records, then, effectively we can’t treat them,” Agathe said.