When nearly a dozen teens and young adults were hospitalized last year after overdosing on a designer drug at a party in the Minneapolis suburb of Blaine, some hospital employees apparently couldn’t resist the urge to peek at their medical records – a clear violation of patient data privacy regulations.
In one of the largest such cases on record in Minnesota, 32 workers were subsequently fired for accessing medical records they weren’t authorized to see.
It’s undoubtedly embarrassing and damaging, and a recent survey by the Ponemon Institute confirms that it often leads to less trust among patients.
The survey involved 700 people whose patient information had been stolen or misused. Six out of 10 said they lost confidence in the organization because of the incident. Fifteen percent said they would end their relationship, or already had ended the relationship, with the health care facility, and another 40 percent said they would consider doing so.
Not surprisingly, eight out of 10 said they felt organizations that fail to protect personal patient information are not trustworthy.
For all the resources that have been poured into HIPAA compliance – passwords, data encryption, secure servers, staff training and the like – many data breaches seem to be less about technology and more about basic human nature: in other words, the urge to snoop and the lapses in judgment that lead health care workers into this less-than-ethical behavior.
Although theft and hacking are usually regarded as the biggest threat to the security of patient information, it’s unauthorized access or disclosure that consistently ranks as one of the leading issues. A single incident might not be as large or noticeable as, say, the theft of a laptop containing private data on 25,000 patients. But what snooping lacks in scope, it more than makes up for in frequency. According to the most recent federal report on HIPAA breaches under investigation, unauthorized access is second only to theft.
A survey last year found that 70 percent of the organizations in the study had experienced a privacy breach in the previous 12 months that involved unauthorized access to patient records. Most of it was insider abuse rather than theft or hacking from outside. In about one-third of these cases, the target was the medical records of coworkers. Just under one in three involved snooping into patient information belonging to relatives and friends.
You might argue that some of these breaches are accidental rather than a case of deliberate snooping. But it’s disconcerting to note how many of them involve high-profile patients or medical cases that may be more likely to tempt someone’s curiosity.
For instance, there was the employee at Catskill Regional Medical Center in Harris, N.Y., who was fired last November after helping herself to the medical records of friends and coworkers. She apparently accessed more than 400 records in all, even though she had no legitimate reason to look at them. Hospital officials characterized her actions this way: “She was nosy.”
Consider the 16 people who were terminated at Ben Taub General Hospital in Houston, Texas, for allegedly snooping into the medical record of a physician who was on the staff and was hospitalized there after being shot during an attempted robbery. Among those fired were doctors, supervisors and nurses.
Then there were the four people who were fired after looking at the medical records of the victims in the high-profile Tucson supermarket shooting last year. Six people died in that shooting and 13 were wounded, including Arizona Rep. Gabrielle Giffords.
Celebrities who’ve had their medical records breached include Britney Spears, Tom Hanks, Tom Cruise, Drew Barrymore and the late Farrah Fawcett. Last year UCLA Health System paid an $865,000 penalty for multiple allegations that employees accessed patient information belonging to celebrity patients. An investigation by the Office of Civil Rights of the U.S. Department of Health and Human Services found that between 2005 and 2008, employees repeatedly looked at protected health information they weren’t authorized to see.
Although no one likes to acknowledge it, snooping has probably taken place in health care for a very long time. These days, though, the temptations seem to be greater and electronic medical records have made it easier to indulge one’s curiosity. Not only is an electronic record easier to peek at than a paper record, but it also takes a matter of seconds to download, print and/or copy.
On the other hand, auditing tools are getting better at tracking who’s supposed to have access to someone’s patient information and who’s been looking at it. Health care workers who engage in this kind of behavior sooner or later risk being caught, and health care organizations that don’t monitor and enforce internal practices risk earning a bad reputation when someone blows the whistle.