Patient privacy vs. the urge to snoop

When nearly a dozen teens and young adults were hospitalized last year after overdosing on a designer drug at a party in the Minneapolis suburb of Blaine, some hospital employees apparently couldn’t resist the urge to peek at their medical records – a clear violation of patient data privacy regulations.

In one of the largest such cases on record in Minnesota, 32 workers were subsequently fired for accessing medical records they weren’t authorized to see.

What does it say about a health care organization – and the people who work there – when patients find out someone has been prying into their medical record out of sheer curiosity?

It’s undoubtedly embarrassing and damaging, and a recent survey by the Ponemon Institute confirms that it often leads to less trust among patients.

The survey involved 700 people whose patient information had been stolen or misused. Six out of 10 said they lost confidence in the organization because of the incident. Fifteen percent said they would end their relationship, or already had ended the relationship, with the health care facility, and another 40 percent said they would consider doing so.

Not surprisingly, eight out of 10 said they felt organizations that fail to protect personal patient information are not trustworthy.

For all the resources that have been poured into HIPAA compliance – passwords, data encryption, secure servers, staff training and the like – many data breaches seem to be less about technology and more about basic human nature: in other words, the urge to snoop and the lapses in judgment that lead health care workers into this less-than-ethical behavior.

Although theft and hacking are usually regarded as the biggest threat to the security of patient information, it’s unauthorized access or disclosure that consistently ranks as one of the leading issues. A single incident might not be as large or noticeable as, say, the theft of a laptop containing private data on 25,000 patients. But what snooping lacks in scope, it more than makes up for in frequency. According to the most recent federal report on HIPAA breaches under investigation, unauthorized access is second only to theft.

A survey last year found that 70 percent of the organizations in the study had experienced a privacy breach in the previous 12 months that involved unauthorized access to patient records. Most of it was insider abuse rather than theft or hacking from outside. In about one-third of these cases, the target was the medical records of coworkers. Just under one in three involved snooping into patient information belonging to relatives and friends.

You might argue that some of these breaches are accidental rather than a case of deliberate snooping. But it’s disconcerting to note how many of them involve high-profile patients or medical cases that may be more likely to tempt someone’s curiosity.

For instance, there was the employee at Catskill Regional Medical Center in Harris, N.Y., who was fired last November after helping herself to the medical records of friends and coworkers. She apparently accessed more than 400 records in all, even though she had no legitimate reason to look at them. Hospital officials characterized her actions this way: “She was nosy.”

Consider the 16 people who were terminated at Ben Taub General Hospital in Houston, Texas, for allegedly snooping into the medical record of a physician who was on the staff and was hospitalized there after being shot during an attempted robbery. Among those fired were doctors, supervisors and nurses.

Then there were the four people who were fired after looking at the medical records of the victims in the high-profile Tucson supermarket shooting last year. Six people died in that shooting and 13 were wounded, including Arizona Rep. Gabrielle Giffords.

Celebrities who’ve had their medical records breached include Britney Spears, Tom Hanks, Tom Cruise, Drew Barrymore and the late Farrah Fawcett. Last year UCLA Health System paid an $865,000 penalty for multiple allegations that employees accessed patient information belonging to celebrity patients. An investigation by the Office of Civil Rights of the U.S. Department of Health and Human Services found that between 2005 and 2008, employees repeatedly looked at protected health information they weren’t authorized to see.

Although no one likes to acknowledge it, snooping has probably taken place in health care for a very long time. These days, though, the temptations seem to be greater and electronic medical records have made it easier to indulge one’s curiosity. Not only is an electronic record easier to peek at than a paper record, but it also takes a matter of seconds to download, print and/or copy.

On the other hand, auditing tools are getting better at tracking who’s supposed to have access to someone’s patient information and who’s been looking at it. Health care workers who engage in this kind of behavior sooner or later risk being caught, and health care organizations that don’t monitor and enforce internal practices risk earning a bad reputation when someone blows the whistle.

The great debate: Cameras in the delivery room

For most parents, few things can match the wonder of photos and video capturing the arrival of a new child into the world.

But at some hospitals, families who bring a camera into the delivery room will be informed that picture-taking is off limits. This is the policy at several hospitals in Maryland and at least one in Massachusetts, where neither photos nor video are allowed until after the baby is safely delivered and the medical team has given permission for pictures.

It’s a substantial reversal to the long-standing practice of encouraging families to be involved and engaged in the birth of their child, and it has sparked some passionate debate about the pros and cons of allowing cameras in the delivery room. The New York Times led the pack with a recent story and online discussion about the issue.

Here’s some background from the Times article, which includes the story of a Maryland mom who was so upset about the camera restrictions that she started an online petition:

For the hospital, the issue is not about rights but about the health and safety of the baby and mother and about protecting the privacy of the medical staff, many of whom have no desire to become instant celebrities on Facebook or YouTube.

Their concerns come against a backdrop of medical malpractice suits in which video is playing a role. A typical case is one settled in 2007 that involved a baby born at the University of Illinois Hospital with shoulder complications and permanent injury; video taken by the father in the delivery room showed the nurse-midwife using excessive force and led to a payment to the family of $2.3 million.

Nationwide, photography and videography have been allowed in many delivery rooms for decades. But in recent years, technology creep has forced some hospitals to rethink their policies as they seek to balance safety and legal protection against the desire by some new mothers to document all aspects of their lives, including the entire birth process.

It’s seems there’s plenty to argue about. At the Times’ “Room for Debate” opinion section, an obstetrician-gynecologist questions how far parents should go in capturing and sharing the birth experience. “The first time I saw a camera lens creeping into my field of view while delivering a baby, I thought the biggest issue was the appropriateness of exposing others to really intimate videos,” wrote Dr. Amy Tuteur. “Our vacation videos are bad enough. Are we really going to force friends and relatives to watch such a personal event?”

Photographing or videotaping a live birth is a decision that ought to be negotiated between the parents and the OB team, she concluded.

Jennifer Margulis, a contributing editor with Mothering magazine had a completely different take: “Anytime you’re told you may not record what happens to you, be very wary of the people you are dealing with… Hospitals don’t want you taking pictures because they fear you might record their mistakes.”

At a deeper level, the whole debate raises issues about how we experience major life events when there’s a camera involved, says Raymond DeVries, a professor with the Center for Bioethics and Social Sciences in Medicine at the University of Michigan Medical School. If you’re going to bring a camera into the delivery room, think twice, he wrote. “Birth is an intimate moment to be experienced and cherished. Women in labor should not be thinking ‘I’m not decent for Facebook.’ When the camera is calling the shots we have lost something precious about human experience.”

The delivery room seems to be the flashpoint for a larger shift in how we view privacy and patients’ expectations of participating in their health care. Several months ago I blogged about allowing family members in the room when someone is being resuscitated. Do families have the right to be present, even when what they’re witnessing is bound to be disturbing and might invade the patient’s privacy? Many would argue that they do, but it has made for considerable tension between patients and health care professionals.

Health care workers often are ambivalent about the lengths to which they can accommodate the wishes of patients and families. What if a family member wielding a video camera gets in the way at a crucial moment? What if the family’s presence becomes disruptive?

The privacy boundaries can sometimes be exceeded for health care workers as well as for patients. Consider a 2007 incident at Children’s Hospital in Boston, where the family of a young cancer patient installed a webcam in the child’s hospital room so a favorite relative could see what was happening – but staff didn’t know the webcam was there until it was accidentally discovered by a nurse.

Judging from the online discussion at the New York Times, it’s a volatile topic. An anesthesiologist who attends C-sections wrote that “the focus needs to be on the patient and not rescuing a visitor from the floor after they have fainted (yes, it happens a lot).” From someone else: “It’s a medical procedure, not a fraternity kegger, for Pete’s sake. Why do people treat everything like it’s primarily some sort of photo op?”

A mother wrote:

I expressly forbade family members from videotaping me during labor and delivery. It’s not a pretty process in the best of circumstances, and still snapshots of me holding the baby after arrival suffice for commemorating the occasion. I don’t comprehend the sort of exhibitionism that would drive someone to want their delivery posted on Facebook.

Someone else argued that cameras are everywhere and we need to get used to it. “Cameras are documenting many facets of our lives and medical people should not be treated any different than other people,” he wrote.

Another commenter wondered whatever happened to pleasing the customer: “I’m not spending $10,000 a year on insurance to have my service providers dictate chapter and verse of how I experience the care I pay them to provide.”

It seems reasonable for hospitals to have some basic rules about the presence of cameras in the delivery room, if for no other reason than to make it clear what’s expected of families and to prevent the picture-taking from becoming disruptive. How far a hospital’s policy should go is less clear. Should there be an outright ban on photos and videos during the actual delivery? Should this be negotiated on a case-by-case basis between families and the OB team? What do readers think?

Photo courtesy of Brent and Gretchen Schlosser

A little privacy, please

Back in the day, this newspaper (and plenty of others) used to publish a daily list of hospital admissions and discharges. It had high readership. If it was omitted, which occasionally happened, we could usually count on at least one phone call from a reader, wondering why the “hospital notes,” as they were called, weren’t in the paper.

Over time, though, fewer and fewer hospital patients opted to have their name released. The list got shorter and shorter. By the time we discontinued the practice of publishing it a few years ago, it had more or less lost its newsworthiness.

Even before HIPAA, the Health Insurance Portability and Accountability Act of 1996, came along, health care was evolving toward greater privacy protections for patients. This wasn’t just an industry trend. Expectations of privacy were increasing among the public as well.

In our tell-all age of Twitter and Facebook, it seems counterintuitive that people would want to keep some things private – but when it comes to their health care information, most people are more sensitive about who gets to see it. It’s one thing for them to choose to share their personal stories on their own website or blog, or show a video of their gall bladder surgery at a dinner party. It’s another matter altogether for someone else to go ahead and share it without their consent, especially if the unauthorized sharing is done by someone entrusted with their health care.

The ease with which information can be transmitted electronically has upped the ante considerably. It was inevitable, I guess, that tighter patient privacy regulations would be enacted sooner or later.

HIPAA was a big deal for health care organizations to implement. Now, it has become such a permanent part of the landscape that it’s easy to forget the rules really haven’t been around all that long. It was seven years ago last week that the privacy regulations went into effect, and five years ago this week that the security rules took effect.

It’s interesting to get a behind-the-scenes glimpse of what hospitals must do in order to ensure the privacy and security of patients’ health information. At Rice Memorial Hospital here in Willmar, all staff and volunteers are required to undergo HIPAA training during their orientation and to complete refresher courses as well. Computer access to information is controlled through passwords, filters and user authorization. Audits are conducted on a regular basis. Very few breaches have been reported, so apparently it’s working. And according to hospital officials, both the staff and the public have become much more conscious of privacy since HIPAA went into effect.

HIPAA tends to get a bad rap for being overly burdensome. To be sure, the law is lumbered with a ton of paperwork and requirements. But you don’t have to look far to find examples of why we need it – such as the case of the ULCA Medical Center worker who inappropriately snooped through the late Farrah Fawcett’s medical file. And it’s not only celebrities who can be targets; ordinary patients are vulnerable too, as this case report from the Agency for Healthcare Research and Quality demonstrates. To say the gossip was embarrassing to this patient is an understatement.

Confidentiality has traditionally been more engrained in health care than in other industries. But health care also has had a long history of compromising patient privacy on a daily basis. For the most part it has been done unthinkingly rather than deliberately – a case of “this is just how we do things.”

If you ask patients, most would say the heightened awareness of their privacy has been welcome. Most patients don’t really want to share their hospital room with a stranger – or worse yet, be hospitalized in an open ward. They’d rather not be treated in an open bay in the emergency room. They don’t necessarily want to announce to the whole world that they’re in the hospital or why they needed surgery. They don’t like being rolled on a gurney down a hallway shared by the public. They’re uncomfortable with everyone at their clinic or hospital having access to their latest test results or mental status exam.

HIPAA may be cumbersome. It has been neither easy nor cheap for health care organizations to implement. But there’s a reason why the law was enacted, and it’s for the better that these regulations exist.