Charles Ornstein of the Los Angeles Times reports:
Though UCLA Medical Center has portrayed recent privacy breaches as the rare actions of rogue employees, the hospital has known since at least 1995 that staffers were peeking into the medical records of such prominent patients as Tom Cruise and Mariah Carey — and even spying on one another’s medical care, according to records and interviews.
James Duckstad, a former hospital assistant at UCLA, told The Times that he was one of a group of workers fired in 1995 after improperly looking at the computerized medical records of colleagues as well as celebrities including Cruise and Dom DeLuise.
Full story – Los Angeles TimesÂ
In my experience, hospitals often look the other way and don’t do anything to stop or even to minimize this. Personally, I asked IS departments at four hospitals to investigate the suspected or actual abuse of medical records access by employees. One hospital had no ability to monitor employee access to records at all. A second did, and after access logs demonstrated employee access of his own, his familiy and his colleagues’ medical records, HR refused to take action, leaving me as his director, with no alternatives except to verbally counsel him and to perform my own extra-diligence in monitoring his access. The other two had the ability to conduct log reviews, but neither did so on a regular basis, nor did they monitor every employee’s access for appropriateness. Only when a manager reported a specific quetionable situation did the IS department take any action at all.
Again, in my experience, nurses especially were frequently interrupted while logged in, and the norm was to leave the terminal without taking time to log off. Nurses are constantly hounded, interrupted and punished – they are expected to be acting as fast as possible at all times. The culture of the work environment punishes them for taking time to perform all steps of any process – they seek, and they use any time saving mechanism possible, regardless of endangering access to medical records.
I’m not surprised by what you report, but yes, it is disheartening and troubling. Thank you for sharing your experiences. My hospital-based work was pre-HIPAA, but even recent non-employment experiences with hospitals show me how loose things are in some respects.
Then there are the little everyday things — like walking into a room at a doctor’s offices where blood is drawn for lab work, only to see numerous patient charts neatly lined up with the patients’ lab results neatly clipped to the front of the folders and easily readable by any patient walking into the room to get their own blood drawn. Staff didn’t even seem to notice or care that anyone could read what they seemed to routinely leave out for their convenience.
Does HHS have a whistleblower’s hotline? And if so, would they even really do anything effective other than a slap on the wrist or “promise us that you won’t do this again?”
I’m not aware of any hotline (although HIPAA and JCAHO have them). At the level I worked at, my knowledge and detail would have been enough to specifically identify me as the reporter, and that’s where many entry and mid-level managers and directors find themselves stuck. There is no collective representation, they work at will (at whim), and they enjoy no whistle-blower protections. Senior administrators insulate themselves by requiring that information reported to them is heavily filtered and edited so that they have plausible deniability.
So what’s the solution? Whistle-blower protection may not be really effective. Do we need to have federal law make all employees mandated reporters, so that the employee can claim that they had no choice but to report the violation?
Good question, and I wish I knew the answer. Contact me via email if you are so inclined, and I’ll share more detail, including the specific situation which resulted in my retaliatory firing – it involved access of some medical records and state reporting.