In the Privacy Hot Seat
I'm sure most of you have heard about the privacy breaches at UCLA Medical Center by now. You can't turn on an entertainment show or open a newspaper without being barraged by "Celebrity Patients Need Privacy Too" or "More UCLA Record Abuses Found."
The saga actually began last spring, when a tabloid ran an exclusive story about Farrah Fawcett's cancer returning. Shortly after UCLA doctors told Fawcett that her cancer had returned-and before she could even tell her son and closest friends-the National Enquirer posted the news on its Web site. Lawyers for the star claim that the information was leaked or sold to tabloids. After UCLA launched a thorough investigation, the medical center discovered "multiple reviews" of Fawcett's records by a worker who was not involved in her treatment.
Flash forward a few months and UCLA is back in the news as it takes steps to fire at least 13 employees and suspend at least six others for snooping in the confidential medical records of pop star Britney Spears during her hospitalization in its psychiatric unit.
State regulators entered the picture, and the California Department of Public Health reported that several investigations were under way.
Flash forward again about 3 weeks and UCLA is front and center in the headlines. On April 6, hospital officials reported that an employee improperly viewed the EHRs of 33 celebrities, politicians and other high-profile patients, including California first lady Maria Shriver. Overall, the medical records of 61 patients were accessed improperly.
OK, so that's the basic gist of the story. You can find all the sordid details by doing a Google search. Hundreds of headlines will no doubt pop up.
For its side of the story, UCLA Health System issued a statement on its Web site:
"...After news stories first appeared in May 2007 about an unauthorized release of patient information, we conducted a full investigation and determined that a single worker, who is no longer employed, was responsible for that incident, as well as the unauthorized viewings of multiple patient records. Consistent with state law and based on the findings of our investigation, we did not notify the Department of Public Health or the affected patients at that time.
"Like other medical institutions in California and across the country, UCLA Health System is engaged in a continuing effort to strengthen its information technology infrastructure to protect against the potential of patient information breaches. We continue to take steps to improve security systems designed to preclude access by unauthorized individuals, while also ensuring that properly assigned medical personnel can quickly retrieve the information required for emergency or other treatment decisions to best meet the needs of its patients.
"Importantly, UCLA Health System has stringent policies familiar to all employees to protect patient confidentiality. All staff and faculty members, contractors, volunteers and other workers are required to sign confidentiality agreements as a condition of their employment and they complete extensive training on federal HIPAA-related privacy and security issues. ..."
So, what do you think? As HIM professionals, the stewards of patient privacy, is this just unfathomable to you? Is UCLA Medical Center under added pressures because they treat more celebrity patients than the average hospital? Is HIPAA training and signed confidentiality agreements enough to guarantee a patient's right to privacy? Is HIPAA even working?
I'd love to hear your thoughts on this topic.