Earlier this year, a rash of unauthorized viewings of confidential patient records—1970s TV icon Farrah Fawcett's records among them—put UCLA Medical Center in a spotlight it did not want. As the story unfolded, it was revealed that the same employee peeked into records of more than 30 other high-profile patients, including Maria Shriver, the wife of Gov. Arnold Schwarzenegger.
The episode highlights one of the biggest fears about computerized patient records: the inappropriate breach. In this case, a wayward employee apparently gained access to multiple patient charts over a two-year period. Fawcett's lawyers raised the specter that her confidential information about cancer treatment may have been sold or leaked to the press, as stories in the tabloids began appearing soon after her treatments began. Is that a lawsuit I hear rumbling?
Now, if this scenario is not enough to cause hospital executives to wonder if they are in the wrong field, I don't know what is. Concerns over patient privacy are what led to the Health Insurance Portability and Accountability Act of 1996 and, in subsequent years, have led to calls for even stronger local laws. It can't be quantified, but I think one of the strongest forces pushing against the EMR is fear of the privacy breach. Usually, the hypothetical culprit is a hacker, a renegade computer expert dead set on posting confidential information on public Web sites. The UCLA case, however, reminds us that a more likely source might be a person already on staff.
This is not the first time a healthcare worker has been caught with his hands in the records jar. And no, these are not always minimum wage clerks doing the damage. I recall news stories outlining how a physician in downstate Illinois was terminated not long ago for inappropriate access to an electronic record.
One thing's for certain: UCLA would likely have never known this breach occurred had its patient records been entirely paper-based. Only an electronic record contains an audit trail. It also enables role-based viewing privileges, in which access is granted strictly on a “need-to-know” basis. These are powerful tools that can allay any fear of technology. More healthcare organizations, no doubt, are likely to redouble their use of these tools in the days ahead.