In December 2014, University Hospitals of Cleveland notified almost 700 patients that their medical records had been accessed by an IT employee. The employee was fired, but only after it was found that the snooping had been going on since 2011. Like most IT folks, this person potentially had access to just about every piece of personal data on patients. I did some research on the hospital’s website and other news, but was not able to determine which medical records system is in place there. Not like that matters, but I do tend to watch for comparisons to the system I am most familiar with, which is Epic.
Unauthorized Access To Patient Medical Records
Several years ago, there was a similar incident with an Epic client in the Northwest that led to terminations of 13 employees. In both of these examples, there’s a good chance that the employees had no intentions of using any of the information that they had improperly accessed. In fact in this second example, some of the employees were simply looking at the charts of their spouses.
And then of course we have people looking at the medical records of Kim Kardashian and Beyonce.
So let’s look at a few scenarios and see if you can guess if any of these situations constitutes an illegal or inappropriate access of patient records.
Clinical Analyst Nancy gets a request from Dr. Frank that he accidentally entered the wrong diagnosis code on an order for an Ultrasound on a female patient. Nancy checks the Ultrasound order, and walks the doctor through correcting the diagnosis. Nancy also checks the medication orders to see if they also have the right diagnoses. Then she checks the pregnancy status of the patient, and checks to see how many previous pregnancies the patient had. Did Nancy do anything wrong?
Answer: Yes. Nancy was right to check the medication orders to see if they had the right diagnoses, since the doctor made an error on the Ultrasound order. However, Nancy had no business checking the pregnancy status of the patient. That had nothing to do with the issue at hand.
Tammy is a scheduler at Pike Primary Care, and her husband Ralph also has his care at the same clinic, but with a different doctor. Ralph had an appointment a few days ago, and has been calling the clinic back to check on some Lab results. Tammy knows that Ralph’s doctor is out for a few more days, so she asks the doctor’s Medical Assistant to check the Labs and get back with Ralph. Did Tammy do anything wrong?
Answer: No. It was fine to have the MA check the system for lab results. If Tammy had checked the results herself for her husband, she would have been in the wrong.
Bill is an Analyst in the IT department of Pike Medical Center. His wife Kristen is also an IT Analyst, but she works for a different hospital. Kristen wants to see an Endocrinologist named Dr Wong at Pike Medical Center where her husband works. She wants to see that the doctor is conscientious in documenting her clinical encounters, so she asks Bill to run some reports on how well Dr. Wong does at correctly documenting things in the EMR. No patient data would be in these reports. Did Bill do anything wrong?
Answer: Probably so. Even though patient data was not compromised, Bill used his advanced position to provide data that is somewhat privileged. The bigger issue here is if an audit was done, it would raise suspicions toward Bill, leaving security staff wondering what other info Bill might have accessed. You don’t want to be in that position. So bottom line; concerning access to patient data, we should only access the minimum amount and breadth of data needed to do our jobs in Healthcare IT. Nothing more.
Anything patients can do about it?
There is one change that is technically pretty small, but can have a big impact. Patients can request that their Healthcare provider turn on Break-The-Glass on their electronic health record. What this does is provide an extra warning to users who attempt to view that particular chart. It is usually reserved for what they call VIPs, such as celebrities. (I personally don’t look at celebrities as VIPs, but that’s a discussion for another time). Healthcare facilities can’t activate Break-The-Glass for everyone, as then it would lose its impact and frustrate users. However, if you have a compelling reason to request it, such as a previous violation to your records, then most organizations will accommodate your request.