Wednesday, July 13, 2011

Can Patient Privacy be Secured when Hospitals Needs to Give Non-Employees Access to the EHR?

A Colorado Springs city employee who was authorized to access a local hospital's EHR as part of her job is alleged to have snooped on 2,500 electronic medical records that were unrelated to her job.

How can a hospital maintain patient data privacy when it needs to allow non-employees healthcare workers access to the hospital's medical records? Given the drive toward health information exchanges (HIE) how can hospitals protect their patients' data privacy? Your thoughts?
"From my understanding, she was accessing the [electronic medical] records when she wasn’t at work. She wasn’t doing it as part of her job." - Hospital Spokesman
The city employee had worked as an occupational health nurse for eight years. As part of her job she was authorized to access the hospital's medical records related to her patients.

The nurse had signed forms agreeing to abide by HIPAA/HITECH privacy requirements, but according to a reporter at The Gazette, a local newspaper, the nurse did admit to accessing the electronic medical records for personal reasons, such as looking up the phone number of a friend that she had lost.
"“I guarantee that accessing the [medical records] database for stuff like that is rampant in the medical community. If you talked to other medical people, you’d find out that it’s pretty damn common." - Nurse accused of unauthorized access
The Hospital only learned of the 2,500 privacy breaches when it was notified by the city. The nurse's supervisor raised a concern because of unusual patient access activity by the nurse, including a high frequency of access and access from unusual locations.

The nurse claims her supervisor was fishing for an excuse to fire her after the nurse's 'psychic' abilities revealed her supervisor had a life-threatening condition. The nurse admits to looking at the supervisor's medical records to see if the supervisor heeded her advice and sought treatment.

As a results the hospital is looking into a software service to more quickly alert hospital officials to unusual activity surrounding electronic medical records.

(a) Memorial Patient Records Improperly Accessed - Memorial Health System, July 11, 2011
(b) 'Psychic' nurse says she is unfairly targeted in hospital records case - The Gazette, July 11, 2011


Maria Peluso said...

Identity Management.

It's slow to come to the PHI community. People should have varying degrees of access based on need. Not an across the board toggle for data access. This won't help every case scenario but can be used to limit scope.

Alan Norquist said...

Maria, I agree that identity and access management (IAM) and identity and access intelligence will be critical to health care organization protecting patient data privacy.

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at