DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

How to reconcile Kaiser's statements about who can access patient data

Posted on March 9, 2010 by Dissent

Two reports of how Kaiser Permanente approaches security left this blogger scratching her head last week as the reports might seem to contradict each other. And because the VA Watchdog had the same questions I have, I decided to follow-up.

On February 28, and as reported by Health Data Management, Eric Liederman, M.D, director of medical informatics at Kaiser Permanente’s Northern California division, described the security approach this way during the Physicians Symposium at the HIMSS 2010 Conference & Exhibition in Atlanta:

…. The common approach is to restrict access to patient data by assigning roles to users and allowing role-based access. But this can hamper appropriate exchange of health information and raises the risk of patient harm, particularly in the case of sick patients quickly getting sicker, Liederman said.

Kaiser took another route by making all accountable by giving everyone access to everything. But … record all views, investigate all complaints, use surveillance to find “silent offenders,” sanction the guilty and publicize the sanctions. “You don’t have to publicize the names but put out the word that coworkers–real people–no longer work here because they violated privacy,” Liederman explained.

The accountability approach deters temptation-driven mistakes and keeps good employees on the job, removes barriers to people doing their jobs, and avoids proliferation of security profiles and roles, he added. This reduces confusion while increasing consistency, and protects key privacy targets–physicians, co-workers, neighbors and celebrities/VIPs.

And the way to maintain law and order in an open environment is to police, police, and police with information technology surveillance tools.

Yet as Alice Lipowicz of Federal Computer Weekly reported on March 5, Dr. John Mattison, chief medical information officer for Kaiser Permanente Southern California, told her that Kaiser uses role-based access privileges like most other health systems, and Kaiser has been performing algorithmic surveillance of the systems to detect anomalies that could indicate unauthorized access, he said.

“We do not allow everyone to see everything,” Mattison said today. “We allow access based on roles — which include receptionist, medical assistant, quality assurance officer, coding or billing officers. We have security profiles, and you can only see what is allowed for that role.”

Typically, health systems have about 40 to 2,000 different user profiles and corresponding levels of access in their systems, Mattison said. Kaiser’s number of roles “is in the middle of that range.”

“We are using the same restrictions as the rest of the industry, and we are pretty much in the middle of the industry for integrated organizations,” Mattison said. Also, Kaiser is forging ahead in deploying its surveillance software to better detect anomalies, he added.

As for suggestions that Kaiser’s security is more “daring” than other health plans, Mattison disagreed with that assessment. “There are some false assumptions underlying that premise,” Mattison said.

I asked Kaiser to comment on what seemed to be a contradiction in the way the approach to security was described. John Nelson, spokesperson for Kaiser, responded:

The comments made by Drs. Mattison and Liederman are both accurate, depending on the area of patient health information being accessed. Given the comprehensiveness of our electronic medical record, we employ role-based access controls in all areas where it makes sense to do so. For caregivers involved in direct patient care, we ensure that they have sufficient access to information relevant to their work, enabling them to provide the highest quality of care. For others who are not involved in direct patient care, their access is much more restricted according to what information they need to perform their jobs. This combined approach enables us to protect patient privacy and deliver the best care possible through electronic health records.

According to Nelson, when Dr. Liederman said that Kaiser gave “everyone access to everything,” he was not really talking about everyone — only those involved in direct patient care.

No related posts.

Category: Uncategorized

Post navigation

← LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False
VA investigating security breach of veterans' medical data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity
  • Patient death at London hospital linked to cyber attack on NHS
  • ShinyHunters and team members arrested in France (2)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack
  • Marquette County Medical Care Facility discloses data breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.