Slashdot Mirror

← Back to Stories (view on slashdot.org)

UCLA Hospital Hit With HIPAA Fine On Celeb Records

Posted by timothy on from the easier-than-getting-madonna's-pap-smear dept.

Trailrunner7 writes "The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification. This is the third major HIPAA fine issued by the Department of Health and Human Services in 2011, following a fine of $4.3 million for Cignet and a penalty of $1 million for Massachusetts General Hospital."

10 of 57 comments (clear)

  1. Shocked, shocked I tell you! by overshoot · · Score: 4, Insightful
    Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.

    Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
    1. Re:Shocked, shocked I tell you! by Mindcontrolled · · Score: 2

      Well, generally, why shouldn't the files be open to every medical employee? They are bound to silence, anyway. I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine. You can learn from cases that are not your own, after all. Of course, the assumption that everyone will honor their obligation to silence is a bit far-fetched, I give you that. But post hoc the one that talked should be slapped, not the institution.

      --
      Ubi solitudinem faciunt, pacem appellant.
    2. Re:Shocked, shocked I tell you! by Saerko · · Score: 3, Interesting

      Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.

      Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.

      I'm not sure I'm all in for that statement. Almost all EMRs these days have pretty robust security controls, and it's rare that celebrity patients come in on unplanned visits where that "all access" kind of response is necessary. Where it is, it's usually handled in the ED, where the expectation of privacy is necessarily low. In the case that the patient is a regular admission, a pre-admit for a procedure/care, or anything other than getting hit by a bus or other trauma, there are well-established practices that protect their identity.

      For instance, my last employer had a case where a celebrity's wife came in for Labor & Delivery. The hospital admitted her under a pseudonym, and only her direct caregivers knew the true identity. An audit trail and special VIP protections were placed on her record, so that staff had to electronically "sign" and state a reason why they needed access to her chart if they weren't in the direct care group. For all intents and purposes, she was well protected.

      The problem came in when billing entered the picture. You can't bill against a pseudonym, and the local papers broke the story soon after she delivered. Once she left the hospital, her pseudonym was replaced by her real name, and her chart was promptly accessed over 200 times by various personnel across the hospital. In the next week, five people were fired outright for unauthorized access, and about a dozen put on disciplinary action because we couldn't fully prove that their access was unnecessary, if suspect. In an ideal world, the system would have been able to bill out under the pseudonym with the identity correction occurring downstream, but people still talk and the cover would get blown eventually anyway.

      Does this anecdote have a point? I'd like to think so: it's that there's only so much mitigation you can do, but a lot of hospitals and EMR vendors could certainly do more. There will always be people like me who have god-like access by necessity though, and as long as that exists, there will always be the potential for abuse and information leaks. I think the real benefit of electronic systems is that, previously, if someone absconded with the paper chart, there was no way to tell who accessed it. Even I leave entries in the logs, and there's pretty close to no way to effectively "leave no trace" of my presence in the system. The biggest benefit of modernization is accountability, but real privacy is a pipe dream that people need to abandon.

    3. Re:Shocked, shocked I tell you! by david_thornley · · Score: 2

      In a civilized country, there wouldn't have to be any billing for something like a delivery.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  2. Re:Pledged to tweak their infrastructure by ethanms · · Score: 4, Insightful

    I was thinking it sounds like "fire those involved and make it very clear too all remaining employees that those involved were fired and are unlikely to get another job in the medical field after being terminated for a HIPPA violation...

  3. HIPAA is a travesty by Tony+Isaac · · Score: 4, Insightful

    I work in the electronic medical records industry, and I can tell you that HIPAA protects your privacy about as well as those multi-page "privacy policy" letters you get from your bank and other businesses...you know, the ones that tell you, in lots of fine print, that they will do whatever they want with your information.

    Sure, HIPAA requires doctors and hospitals to get your consent before sharing your information with others. That's why, when you see a doctor these days, you have to first sign that consent form! If you don't sign, you get sub-standard care, or have insurance hassles...basically, you have to sign. So tell me how THAT helps anything!

    What HIPAA DOES do well, is make it difficult for spouses (and other caring family members or friends) to find out what's going on with their loved ones when disaster strikes. It also costs hospitals and doctors tons of money to comply (I know, my company is the recipient of some of that money)...and that in turn drives up the cost of health care.

    HIPAA may have been created with good intentions in mind, but it is a travesty and can't be repealed fast enough!

    1. Re:HIPAA is a travesty by Tony+Isaac · · Score: 3, Insightful

      You are correct, that is what HIPAA was supposed to be about. You are fortunate.

      The problem is, it all depends on how the specific doctor or hospital interprets their obligations under HIPAA. Some of them are reasonable, but others grossly exaggerate the level of privacy required by the law.

      In our business, we often have to read document after document just to try to understand the requirements. If WE have to do that, how in the world can a small doctor's office apply the law correctly? The truth is, they often make their best guess and hope the lawyers don't come after them.

  4. Re:Pledged to tweak their infrastructure by NeoMorphy · · Score: 2

    I agree!

    I work at a health insurance company and everyone in the company was required to take HIPPA training. It was very thorough, and I assume everyone else in the Health Industry had to go through something similar. On top of that, the pharmacy reminds you of it and whenever I see a new doctor I get to read yet more documentation regarding HIPPA and then sign it.

    The employees involved should have known they were doing something that was that was not only illegal, but that it would endanger their career.

    If you think about it, there is a lot of private data that is ultimately protected by people acting professionally and not disclosing that information to the wrong people. There is no way to proactively stop that, other than hiring the right people, doing background checks, and impressing upon them the importance of following the rules regarding privacy.

  5. Re:Pledged to tweak their infrastructure by NeoMorphy · · Score: 2

    Argghhh!

    My apologies, you are correct.

    HIPAA(Health Insurance Portability and Accountability Act)

    For some reason I often think "Health Insurance Portability and Privacy Act", which seems more appropriate. There is a lot of emphasis on privacy, and yet it's not in the acronym. I must confess that remembering what the acronym stood for was a question I got wrong, but I got the rest right.

  6. sounds like sound risk management to me. by KingAlanI · · Score: 2

    Because she's famous, it increased the risk that people would access the records unnecessarily, and this behavior seemed like a logical response to manage that risk.

    --
    I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.