Are Your Healthcare Records an Open Book?

Joseph (JB) Blankenship

January 18, 2011 - Posted by Joseph (JB) Blankenship to Security Insight

Think of all the sensitive information you don’t want to share with friends and family, much less the news media. Some things that come to my mind include pay stubs, tax records, financial statements, my high school report cards and some really bad poetry/song lyrics that I wrote. Perhaps, however, the information that I most closely guard is my healthcare data. I don’t have any skeletons in my medical closet, but I still shudder at the thought that someone could gain access to my health records, especially the ones admonishing me to lose weight and to get more exercise. Maybe I’m sharing a little too much here.

Privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) and some state laws (such as California SB 541 and AB 211) are designed to protect our Protected Health Information (PHI). Most healthcare employers have policies that restrict employees from unauthorized access to patient data. Of course, medical professionals who are on a patient’s care team should be able to access pertinent information about that patient. Other employees who are not directly involved in a patient’s care, however, have no business accessing that information. The catch is that the information is out there, and the real issue is controlling access to it.

The tragic shooting in Tucson, AZ on January 8, 2011 took the lives of six people and wounded thirteen more, including Congresswoman Gabrielle Giffords. This heinous act of violence led to another vile act, the inappropriate access of Congresswoman Giffords’ private medical records by healthcare workers who had no business viewing them. As a result, three healthcare workers were quickly fired by University Medical Center in Tucson, Arizona. University Medical Center released the following statement on January 12:

"University Medical Center takes the privacy of all patients very seriously. The hospital has terminated three clinical support staff members this week for inappropriately accessing confidential electronic medical records, in accordance with UMC’s zero tolerance policy on patient privacy violations. A contracted nurse also was terminated by the nurse’s employer. We are not aware of any confidential patient information being released publicly. The families of all patients whose information was accessed have been notified. Any potential breaches of patient privacy by UMC staff will be investigated and appropriately addressed. With advances in technology, ensuring patient privacy has become the focus of hospitals nationwide. UMC uses sophisticated technology to help prevent and detect inappropriate access to patient information."

Of course this isn’t the first time that healthcare records have been accessed by workers who had no business accessing them.Britney Spears had her confidential medical records breached in 2008 by workers after she was admitted for evaluation. Nadia Suleman, AKA “Octomom,” also had her medical records accessed without permission in 2009. In each case, the workers in question were terminated, but how often do the perpetrators not get caught?

Knowing that termination and other penalties are possible is apparently not enough to keep workers from accessing sensitive healthcare information. In an SC Magazine article, Beth Givens of the Privacy Rights Clearinghouse said, “It's hard for me to comprehend -- apparently stardom is such a strong magnet that some employees will simply ignore penalties and sanctions and access medical records without authorization."

To keep our medical records from becoming open books, healthcare providers must limit access to patient medical records. For written records, this primarily means physically controlling physical access to the information. For electronic records, providers need to implement technical controls that limit and monitor access to patient records, providing needed access to the healthcare team and restricting access from other parties. Controlling this access is a basic premise of HIPAA and other privacy legislation.

These technical safeguards not only protect patient privacy, they may also help healthcare providers avoid fines and civil suits. With the Office of Civil Rights taking responsibility for HIPAA enforcement, more providers could see themselves facing fines in the event of data breaches, especially with the new guidance provided under the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009. Victims of data breaches may also seek damages in court, causing further expense for healthcare providers.

We trust healthcare providers with our medical care and our lives. There are processes and procedures in place to increase the likelihood of a successful outcome and reduce risk, both to us as patients and for the providers. Since we must also trust healthcare providers with our most secret information, our medical histories, they should have procedures and technical controls in place to ensure that those records are not open books, available for anyone to see.

Learn more about Solutionary solutions for healthcare providers here.

Read more on Solutionary Minds about:

comments powered by Disqus

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)