Unauthorized peeking at patient medical records remains an unsolved problem among healthcare providers, and privacy experts contend it's just in our nature to snoop.
“As long as you're a public figure, in the public eye, whether you're a local anchor, or a politician or Kim Kardashian, it strikes an interest,” said Angela Rose, director for health information management practice excellence at the Chicago-based American Health Information Management Association. “The policies and procedures have definitely gotten more strict, the state and federal laws have gotten more strict, but it still happens. There is still human curiosity and there's still human error.”
The news this week is word of yet another patient record peeping incident in which five people were fired and a sixth volunteer researcher was relieved of duty after an audit turned up that 14 patient records had been breached at 892-bed Cedars-Sinai Medical Center
in Los Angeles. The breaches occurred last month, between June 18 and June 24.
The patient was not named, but the Los Angeles Times noted the string of peeks began just three days after the TV celebrity Kardashian gave birth
at the hospital June 15 to a daughter with rapper Kanye West.
Four of the employees involved worked for four Cedars-affiliated physicians with medical staff privileges at the hospital were also fired by their physician employers, the statement said.
These physicians had EHR access privileges, logins and passwords, which they had shared with their employees, in violation of hospital policy, according to a July 11 Cedars-Sinai statement. The hospital said it will “address the specific conduct of those physicians.” All six sets of EHR privileges have been de-activated, the hospital said.
It's easy to understand the fired workers' fascination, if only because they've got plenty of company. People magazine, which reportedly has offered Kardashian and West $2 million
for their first baby photos, claims having more than 42 million readers for its celebrity drenched pages, where readers have kept up with the outspoken Kanye and the queen of the Kardashians in more than 1,600 articles, photos and mentions.
Pam Dixon, founder of the San Diego-based World Privacy Forum, a privacy rights advocacy group, was impressed with how Cedars-Sinai used technology to quickly turn around its investigation of the breach.
“I think this is a reasonably strong response for a healthcare system,” Dixon said. “Obviously, it's not to a point where we have real-time correction of this, but I anticipate as audit systems get better, this problem will be resolved. I think that's actually the cure, and having a robust system of checks and balances where people are actually looking at the audit results.
Peeking at patient records is not just a Hollywood pastime, according to Mark Rothstein, a lawyer and the director of the Institute for Bioethics, Health Policy and Law at the University of Louisville (Ky.) School of Medicine.
“For example, I remember that Bill Clinton's health records were viewed inappropriately when he was at a New York hospital for his heart operation,” Rothstein said. “It is relatively easy to track the unauthorized entry using audit trails, but that doesn't seem to be enough to prevent this.”
Rothstein suggests registering all celebrity patients under an alias and having a unique log-on procedure for celebrities that changes. Another strategy, he said, is “publicizing that strict discipline will follow any inappropriate access to health records.”
“Civil and criminal liability might be a powerful deterrent, but I don't see that happening,” said Rothstein, who served as chairman of the subcommittee on privacy and confidentiality of an HHS advisory panel, the National Committee on Vital and Health Statistics, from 1999 to 2008. “I don't see criminal prosecution as a high priority either for the Justice Department or the states. Also, there is no private remedy under the (HIPAA) privacy rule, so that individuals, whose records were unlawfully accessed, assumedly with some harm as a result, would have to bring a common law invasion of privacy case.”
The Office for Civil Rights at HHS, the chief enforcement officer of the HIPAA
privacy and security rules, got off to a slow start in imposing civil penalties or fines on individual violators while the Justice Department started fast and then hit the pause button on criminal sanctions.
The compliance deadline for HIPAA's privacy rule was April 14, 2003, and the security rule, April 20, 2005.
ONC's first monetary penalty, $4.3 million
, against a Maryland payer, Cignet Health, for privacy rule violations wasn't until February, 2011.
The ONC also has reached several settlement agreements with alleged HIPAA violators, including one last week with insurance giant WellPoint
Soon after the HIPAA privacy rule went into effect, a Seattle healthcare worker, Richard Gibson, stole the identity of a cancer patient, Eric Drew, and went on a shopping spree in Drew's name. In 2004, Gibson was the first person to be criminally prosecuted, found guilty and sent to prison under HIPAA. But a year later, a Justice Department lawyer severely restricted the scope of the HIPAA criminal penalty provision
, saying in a binding legal opinion that “covered entities,” not individuals, were liable for criminal prosecution under HIPAA. Congress overturned that opinion until a 2009 “clarification” inserted in the American Recovery and Reinvestment Act, saying HIPAA violations should apply to individuals, too.
Meanwhile, prosecutions for peeking, while not unheard of, are few and far between.
In 2009, a physician and two employees of Arkansas healthcare organizations were fined and sentenced to probation
for unauthorized peering at the medical records of a local TV journalist who had been killed.
And in 2010, Huping Zhou, a research assistant at UCLA Health System in Los Angeles, was sentenced to serve four months in federal prison for peeking into hundreds of patient records
, including those of movie stars Drew Barrymore, Tom Hanks and Cameron Diaz.
Rose said the feds have since picked up the tempo of privacy rule enforcement. “There was day when people could say there were no HIPAA police,” she said. “Now, there are HIPAA police. I think OCR has definitely put the iron fist down a lot harder in the last few years.”Follow Joseph Conn on Twitter: @MHJConn