I was running my usual searches and the like to find items that I might want to post to my blogs, when I came across a link to an item and where the first line or so of the entry in the search engine results looked interesting. So I clicked on the link, only to be taken to a Blogspot notice:
This blog is open to invited readers only
Well, I clearly wasn’t an “invited reader,” but I was curious and so I decided to see if I could access the entire blog entry. It took less than a minute, of course.
Sadly, the person who wrote the blog entry has no idea that what she thought is secure and private is neither. Because she does not give her email address anywhere, I cannot send her an email to alert her that if she’s really concerned for her safety as well as her privacy, she needs to secure her blog better. Or better yet, remove it from the web altogether.
In any event, here’s just a small bit of what the situation involved. I’ll assume that the facts are as she alleges:
1. She is a patient at Hospital A.
2. Hospital A grants all physicians a login that gives them access to all patients’ records, not just their own.
3. An employee of a physician who is not, and has never been, her physician has repeatedly accessed her hospital files numerous times over a multi-year period. The employee does so for the usual kind of personal reasons.
When the patient contacted the hospital, they reportedly denied all responsibility for the breach and pointed at the physician whose employee was inappropriately accessing the files.
The physician said that it was not his responsibility to protect the PHI of someone who isn’t his patient.
The medical licensing board won’t take a complaint against the physician because there is no doctor-patient relationship.
There’s a lot more, of course, but that’s the issue I wanted to address here.
Although the blogger focuses on the employee and physician, this is a matter that should be reported to HHS. The hospital has, in my opinion, clearly failed big time to control access to patient records. They have also failed to audit access logs. This is a failure on the hospital’s part.
While the patient may have some cause of action against the employee, someone needs to straighten the hospital out. if the allegations are true, their failure to take responsibility for this privacy breach is offensive, to say the least.
And no, I do not know the name of the hospital. I do wonder if they ever advised the patient that she had the right to file a complaint with HHS if she was not satisfied with their response. There’s no mention of that in her account of the breach.
I can tell you what my facility would do.
Rather than passing the buck off to the employer-physician, we would take the woman’s complaint. Then, we would run an audit of the accused’s accesses for the time frame and ask the office manager or physician to determine the reason for the accesses, in a fairly short period of time (we give them 14 days). If they couldn’t give us a valid business need for the access, we would convene a sanctions committee. Then, since we have no control over the accused’s continue employment, but we do have control over whether or not they have access to our system, we would terminate their access to the information. Whether or not they could remain employed without the access to do their job is an issue for the employer.
We’ve done all this before, obviously.
If the blogger has a copy of the Notice of Privacy Practices for the hospital, she has the complaint address for the facility and for HHS, since both are required elements in the NPP under the Privacy Rule. I’ve filed complaints with HHS on behalf of other people several times in the last 7 years, because I know what the law is and I expect everyone to abide by it. If we knew the name of the facility, I would have to at least consider filing one on her behalf.