After 14 patient records were “inappropriately accessed,” in a week’s time, six people were fired from Cedars-Sinai Medical Center, in Los Angeles.
The people who were involved in the breach and got their walking papers handed to them were:
- four employees of community physicians who have medical staff privileges at the hospital
- a medical assistant employed by Cedars-Sinai, and
- an unpaid student research assistant.
Physicians who have practices in the community, and have privileges at hospitals are allowed to access the hospital’s electronic record system. However, they are only allowed to log in for purposes related to the care of their patients.
Problem is, three of the community physicians gave their usernames and passwords to employees to use, which is a violation of hospital policy. The fourth community physician got a separate ID and password for an employee to assist with billing, and she used it to look at records she didn’t have access privileges to.
Cedars Sinai just happens to be where reality television star Kim Kardashian delivered her baby on June 15.
So were these people just star struck and wanting to get a peek at Kardshian’s and her baby’s medical records?
In a Los Angeles Times story, a spokeswoman for the hospital declined to identify exactly whose records were accessed. But she did mention that all the people who had their records illegally accessed have been notified of the breach.
The thing is, five of the workers accessed one sole patient’s record, while the other person looked at 14 patients’ records.
And this isn’t the first time a high-profile hospital has had its patients’ records breached. Many hospitals have, especially those that treat celebrities, such as UCLA Health System which was at the center of a scandal in 2008 involving workers illegally accessing the medical records of Britney Spears, Farah Fawcett and Maria Shriver.
These celebrity-related breaches don’t just occur in big cities. For instance, George Clooney was treated at Palisades Medical Center in New Jersey after a motorcycle accident, and his records were also accessed and leaked to the press. In that case, 40 employees were investigated and 27 employees were suspended for a month without pay.
Bumping up security
It’s not that these hospitals don’t have good security to guard patients’ medical records, they do.
In fact, in the Los Angeles Times article, David Blake, Cedars-Sinai’s chief privacy officer said in a statement that the hospital has “a high standard for security.” And many hospitals do have good security and privacy policies in place, but in order to work they must be followed, updated on a regular basis and violators need to be punished.
Here are a few ideas for keeping your facility safe from prying eyes:
- Tighten “access to info” policy — How airtight is your “access to information” policy? To answer this question, there are many variables you should consider. For example, who has access to patient information? Your policy should limit access to those directly connected to specific patient care, business need or research requirement. Outline very clearly who can access what, when and how, and it’ll hopefully save you from unauthorized information access.
- Outline when to release information – To stay HIPAA-compliant, patient-specific, caregiver-specific and healthcare provider info should only be given to public health and law enforcement, as allowed by law. Another way to safeguard the release of information is to establish a policy to verify the legitimacy of requests. In the blur of a critical situation, it might be hard to discern an official request from a suspicious one. Having a policy that outlines how requests for access can be validated, and then a procedure for how it should be granted or denied, can help ease the pressure of the moment. Most of all it could keep sensitive information from falling into the wrong hands.
- Provide refresher training courses — Let’s face it, it’s human nature to be curious about famous people, or even neighbors and friends. So if you can’t say with a 100% certainty that no employee at your hospital would take a tiny peek, then it’s time for a privacy rule refresher course. Quarterly or semi-annual training sessions help keep privacy violations and their consequences fresh in employees’ minds. So remind employees during training that not only could they be suspended and even lose their jobs, but the government can impose monetary civil penalties or refer the case to the Department of Justice to take criminal action.
- Keep on top of access – Doing medical record access audits is one way to stay on top of who is accessing what.