In a previous blog on healthcare information access concerns, I had expressed concerns for internal origins for data breaches. Further research to help mitigate some of these concerns has led to an observation that many data breach incidents could be funneled to a few common origins. The intent for sharing below some of the more unusual or high profile cases is to drive home the point that it really does happen in real life. And passive awareness of regulatory controls are not enough; active exercising and use of in-place policies is necessary.
Be it intentional, malicious or accidental HIPAA information disclosure, information leak occurs.
Celebrity patient records are very often accessed by unauthorized personnel, even though they have no involvement with that particular celebrity’s patient care. The health care workers access the famous patient information out of curiosity or greed. Patients with names such as George Clooney, Prince, Britney Spears, Farrah Fawcett, Sir Alex Ferguson, Arnold Schwarzenegger, Tom Hanks, Leonardo DiCaprio… The list goes on. 1
Famous celebrities are not the only ones to experience such invasion of privacy, high profile incidents in the news also attract such curiosity or greed to profit from unauthorized information. Personal connections to a patient also elicit curiosity out of concern for the patient, for gossip fodder or revenge.
The parents of an adopted child were threatened by the birth mother after the child’s death from an accidental drowning. The birth mother was notified by a hospital employee, without authorization, against policy. An investigation discovered numerous unauthorized hospital employees had accessed the child’s private EHR records, including several hospital food service workers. 2
A cardiothoracic surgeon who got advance notice that he was to be dismissed, accessed hundreds of patient records over the next 3 weeks, patients not within his care. Patient records accessed included those of his supervisor, colleagues, and celebrities (this was in the LA area). 3
A pharmacist shared confidential medical information about a customer that had previously dated her spouse. A clear violation of HIPAA privacy rules that the pharmacist admitted to being aware, and yet knowingly took a deliberate action to violate in sharing the information with multiple people. 4
Alright, the above incidents involved some mal-intent and deliberate conscious effort. Accidental or well-purposed intentions can result in a HIPAA violation too.
A medical technician posted on social media about an accident victim’s non-use of car seat belts. 5 She explained her post was to encourage others to use the life-saving devices. Her hospital concluded that was a HIPAA violation and ended her employment. Upon processing a positive pregnancy test, a health center worker exclaimed out loud to at least one nearby coworker, that she hoped the young couple was happy. She later explained she was merely talking to herself. The organization determined it was a HIPAA violation, and let her go. 6
Education and regular training on patient privacy and records are critical and necessary. Ignorance of regulations will not go far for a defense. Consequences from “innocent” curiosity and eavesdropping render high fines.
A dental group changed its electronic medical record (EMR) database provider. Its former vendor refused to return the patient database, despite the previous agreements and the EULA that required it. Because the dental group could no longer view or monitor the database to ensure the security of patient data, company officials had to notify patients. 7
A Texas hospital contracted a vendor to shred old microfiche records. Some of them were discovered in 3 public park trash bins. 8 An orthopedic clinic contracted a vendor to digitize X-Rays, then to recycle the film. The appropriate processes were not followed, a compliant Business Associate Agreement BAA was not issued, only through a verbal phone call. In addition, the X-Rays were later destroyed and no digital copies were ever made. 9 10
How sensitive patient records are destroyed or disposed of after handling is as important as how they are saved and stored whilst in use. There are compliance steps to take for maintaining the confidentiality of patient records and handling whatever shape or form media the records come in, from creation, use, delivery, transfer to end-of-life.
A risk analysis can help uncover and discover potential areas where an organization might be putting PHI at risk. The risk analysis should include an evaluation of the likelihood and impact of potential risks to ePHI, and appropriate mitigating security measures. In addition, from the HHS.gov website, “Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” 11 12
1 Celebrity HIPAA Fails
2 Couple Sues McAlester Hospital Over Alleged Snooping
3 Ex Healthcare Employee Sentenced for Illegally Peeking at Patient Records
4 Pharmacist Shared Patient Data
5 Employee Fired Over Social Media Post
6 Careless Actions Can Get You Fired
7 Dental Group notifies patients because former EMR vendor will not return patient database
8 Notice Regarding Microfiche Incident for Hospital Patients
9 Orthopaedic Clinic Settles for Lack of BAA
10 X-ray Film Scam Exposes 17k Patients to Possible Data Breach
11 Summary of the HIPAA Security Rule
12 HHS.gov Guidance on Risk Analysis