Kaiser Permanente should be commended for quickly firing or disciplining 23 employees for unauthorized viewing of the personal medical files of Nadya Suleman, aka, Octomom.
The privacy breach at Kaiser Permanente Bellflower Medical Center in Los Angeles County—where the eight children were born on Jan. 27—occurred in mid-March. Suleman was immediately notified. Kaiser confirmed the breach to the public after several media outlets raised the issue. The case is now under investigation by the California Department of Public Health for possible HIPAA violations.
Kaiser's quick, unequivocal response and willingness to take responsibility for its employees' lapses in judgment will serve the health system well in the long run. Kaiser has sent a message to its employees, patients, and the public that spying on the health records of patients will not be tolerated.
So far, nothing more sinister than simply curiosity appears to have motivated the breach, Kaiser spokesman Jim Anderson says. There is no indication that any information in the files was sold to the media, or used for other nefarious purposes like identity theft.
Kaiser uses an electronic record system that allows the health system to track access to medical files. That's how the snoopers were caught. Anderson says Kaiser already had a training program in place at Bellflower well before Suleman's admission that stresses to the hospital's 5,000 employees the importance of patient confidentiality and the consequences for those who violate that trust.
When Suleman was admitted, Bellflower officials knew her condition would garner a lot of media interest. So, the hospital reaffirmed to employees who would be in contact with Suleman the importance of patient confidentiality. The hospital also enhanced security around her electronic records.
Mark Leavitt, chair of the Certification Commission for Health Information Technology, says most records breaches at hospitals involve not external hackers, but nosy employees or other insiders peeking at files, especially if the patient is a celebrity. "Sometimes, there is no monetary motive, just curiosity. That's still not good," he says.
UCLA Medical Center was embarrassed to disclose last year that employees had sifted through the medical files of more than 30 celebrities, including singer Britney Spears, actress Farah Fawcett, and California First Lady Maria Shriver.
Patient confidentiality violations don't just affect the famous. A person with an embarrassing or socially stigmatized medical condition can can also fall prey to snoops.
It's easy to snicker at these news accounts. But the repercussions of these privacy violations can do more than simply embarrass a patient. They can also cause patients to delay care or not seek care for fear that their medical conditions might be made public.
Leavitt says the expanding use of electronic health records will help more hospitals and other providers catch snoopers. "Used properly, they are far more secure. When you have an electronic health record, you have the ability to monitor every access," he says. "With paper records you will never know if someone goes into the chart room and Xeroxes pages. You don't see people deciding they are going to make banking records more secure by writing them down on paper."
"In the absence of good technology and processes, however, when an (electronic medical records) error happens, it has a greater impact because you can have thousands of breaches instead of one," Leavitt says. "It's a matter of more encryption, strong audit trails, and stronger organizational safeguards."
The federal government is expanding HIPAA laws to cover just about everyone who handles a medical record. With that expansion of the law, and likely enhancement of fines and other penalties, will come a renewed emphasis on securing those records.
The Suleman case provides an excellent opportunity for hospitals, physician groups, and other healthcare providers to remind staff about the importance of patient confidentiality. This really is an ancient and fundamental principle of medicine. It must be honored. If it is not, then patient trust in the provider rightly comes into doubt. After all, if healthcare providers can't be trusted to ensure something as fundamental as a patient's privacy, how can they be entrusted with a patient's health?