Marshall Allen updates us on a recent breach involving allegations that insider(s) accessed and sold patient data to local attorney(s):
University Medical Center has no system to track patient records, leading to numerous instances in which hospital paperwork containing Social Security numbers, birth dates and other private information goes missing, a state investigation has found.
The investigation was triggered by a Las Vegas Sun story revealing that patient records of traffic injury victims were being systematically leaked from UMC, allegedly to ambulance-chasing attorneys in search of clients. The breach, an apparent violation of federal law, is also being investigated by the FBI.
The Nevada State Health Division examined the public hospital’s methods for protecting patient privacy. It released its report Thursday.
[…]
After reading the report, Jeffrey Drummond, a Dallas attorney who specializes in helping hospitals comply with patient privacy laws, said it’s rare for a facility to take such a “cavalier” attitude toward securing sensitive information.
“This strikes me as pretty outrageous,” he said. “The lack of control over what’s going on in the hospital with regard to patient information, if this (report) is remotely true, seems outrageous.”
[…]
Washington, D.C., attorney Kirk Nahra, who also specializes in hospital privacy compliance, offered a more nuanced view of the report. There’s nothing in the document that directly relates to the leak of the face sheets originally reported in the Sun, he said, and even the most stringent privacy practices can’t stop an employee who wants to commit a criminal act.
A trauma center is a chaotic place where hospitals balance caring for the needs of patients with protecting their private information, Nahra said. The same kinds of problems reported by the state could be found in other emergency rooms, he said, though they should serve as a wake-up call to UMC.
Read more in The Las Vegas Sun.
Balancing? Keeping track of where you file multiple copies of a medical record and keeping track of access to records does not interfere with patient care, particularly when some of the recording is automated through software. In fact, having a system that enables you to know where to find information can speed up health care. Having been involved in emergency care in the past, I could agree with Kirk if he argued that occasionally, a copy of a file might get lost or misplaced in an emergency room, but to minimize the failure to have a system in place for monitoring access is just excusing sloppy security and privacy practices. The fact that it may also occur in other emergency rooms does not minimize the importance of the problem, if the report is accurate.