Friday, January 21, 2011

After the Affair - Patient Asks if Lover Snooped Her Electronic Medical Records (EMR)

A woman, "Jane," had a brief relationship with a married family physician who practiced at a Burlington, Vermont hospital.

Later Jane became suspicious that the doctor misused his doctor privileges to snoop through her electronic medical records without her permission.

Jane exercised her HIPAA right to request an audit of everyone who had accessed her records and lodged a complaint with the Vermont Board of Medical Practice.
The state medical board discovered the doctor had inappropriately accessed Jane's records plus seven other women who weren’t his patients — a violation of HIPAA.
A stipulation and consent order signed in February 2010, reprimanded the doctor with a six-month suspension and his medical license was “conditioned” for five years.

Jane questions why the Hospital took two years to discover her privacy was breached, and then only after she notified the hospital of her suspicions?"
Reduce your exposure to fines and lawsuits through more effective monitoring of access to personal health information. Download the medical privacy breach detection white paper to learn how Veriphyr identity and access intelligence addresses user access vulnerabilities related to HIPAA security and Meaningful Use objectives.
The hospital has since deployed a $58 million electronic medical records (EHR) system which, they say, doesn’t make snooping impossible, but far less likely to escape detection.
They do know that we do this auditing on a regular basis, and they know that if they go someplace where they’re not supposed to be, they could be caught.” - Hospital CIO
(a) "How Secure Are Medical Records in the Age of Digital Record Keeping?" - Seven Days, 02/2010
(b) "State of Vermont Board of Medical Practice In Regard to Joshua Aaron Welch MD Stipulation and Consent Order" - State of Vermont Board of Medical Practice, February 2010


Ralph said...

No system, electronic or otherwise, can or will be able in the foreseeable future to guarantee that inappropriate access to medical information will not happen. This is most especially true in preventing "authorized" users from accessing records they should not be looking at and patients have to understand this as well as the holders of those records. It does not make it acceptable, and is not an excuse for not looking to improving the systems and procedures that handle and manage this information.

One of the reasons for allowing patients to receive an accounting of access to PHI is to add another factor into detection of abuse, which is why HITECH is expanding HIPAA requirements in this area to include accounting of allowable uses and disclosures.

Every case should be a lesson learned and system vendors, users and patients should all look to seeing such cases as adding to the knowledge base of what are unacceptable practices and use that to continue to close the door when possible, through improvements and tuning to systems and procedures.

Alan Norquist - Veriphyr, CEO said...


Thank you for your thoughtful comment. I especially like your point that "Every case should be a lesson learned and .. adding to the knowledge base of what are unacceptable practices and use that to continue to close the door when possible, through improvements and tuning to systems and procedures."

- Alan

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at