Invasion of medical records, hospital privacy on the rise

A woman who had attempted suicide and was rushed to a Los Angeles County hospital was photographed by a nurse, her image then placed on websites two years later. Her case is an extreme example of how violations against patient privacy have increased, both nationwide and in California. Says one privacy advocate: In the rush to digitize medical records, privacy has fallen by the wayside.

She had jabbed pencils into her eyes to try to kill herself.

When the woman was brought to a Los Angeles County emergency room in 2012 alive and in pain, a hospital employee snapped a photograph, breaking a federal patient privacy law.

Two years later, when that photograph appeared on a website that features gory images, the patient’s medical information had been shared publicly, violating a state regulation.

The woman’s story is extreme, but her experience is an example of how her privacy was violated and her medical data breached. Both crimes, which are on the rise, can lead to identity theft or to misuse of information by health insurance companies, said Pam Dixon, executive director of the San Diego-based World Privacy Forum.

“The employee disclosed sensitive information about the patient inappropriately and then when the photograph was posted online and went viral, that constituted a data breach,” Dixon said. “That data breach is against the law.”

California state law requires hospitals to report breaches of patient medical data. The number of incidents investigated by the California Department of Public Health rose to 4,213 last year, or an 81 percent increase from 2009 when there were 2,333 cases.

On a federal level, the Health Insurance Portability and Accountability Act of 1996 or HIPAA is supposed to ensure privacy and confidentiality of identifiable health information among other protections.

But complaints filed with the U.S. Department of Health and Human Services have risen steadily. In 2013, there were 12,915 complaints filed across the nation, nearly double the number filed in 2004. Dixon said that under the Affordable Care Act all hospitals, clinics and physicians were pushed to digitize medical records to boost efficiency. But not enough has been done to ensure privacy, which in turn places consumers at risk.

“It is one of the great oversights of the Affordable Care Act,” Dixon said. “The rate of data breach is not acceptable. It’s a big deal because privacy exists in the details.”The vast majority of breaches investigated by the California Department of Public Health involve unintentional disclosures of medical information that would include documents that are delivered, mailed or faxed to an unintended recipient, state officials said.

Health department officials said they could not comment on what individuals do with medical information that is accessed without authorization because there are too many different scenarios.

“However, many unintentional breaches that we have investigated involve an unauthorized access of medical information that does not result in any further use or disclosure of this information,” according to a California Department of Public Health statement.

HIGH-PROFILE BREACHES

Notable and extreme cases involving celebrities have put a spotlight on the problem and led to the establishment of a hefty penalty system. In 2011, UCLA agreed to pay a penalty of $865,500 as part of a settlement with federal regulators after Farrah Fawcett and another celebrity patient alleged that hospital employees reviewed their medical records without authorization. Later in 2011, UCLA was sued for violating a California law after burglars took a laptop from a physician’s home that contained the medical records and other personal information belonging to 16,000 patients.

In another case that year involving social media, officials with Providence Holy Cross Medical Center in Mission Hills dismissed an employee hired from a staffing agency for posting a patient’s medical information on his Facebook page, apparently to make fun of the woman’s name and her medical condition.

And this fall, two nurses were fired from the Nebraska Medical Center in Omaha after they allegedlylooked at the medical file of an American aid worker infected with Ebola, according to published reports. Officials at the hospital told reporters that an audit of the hospital’s electronic medical records led to the discovery that two employees had inappropriately accessed Dr. Rick Sacra’s file and that their actions violated federal patient privacy regulations.

“There’s zero tolerance for this at all hospitals,” said Jennifer Bayer, spokeswoman for the Hospital Association of Southern California. “That kind of training has been going on and special attention has been on social media.”

Bayer said hospitals have expensive software in place that allows staff only at specific levels to access certain records. And there are other controls in place, such as staff watching over staff.

“Some programs are robust and some are very expensive, but that’s what hospitals are trying to do, especially with high-profile patients, such as those with Ebola or celebrities,” Bayer said.

But there are challenges. Physicians are able to access medical records outside the hospital. There are concerns about laptops that are stolen, which also has happened.

“There’s a lot of work in encrypting that information,” Bayer said. “Patients should have an expectation that their information is private. They should feel comfortable knowing that.”

The woman who tried to kill herself by plunging pencils in her eyes has since received psychiatric help, has learned Braille and is taking college classes. But when she learned that her image had become public, she became distressed, her attorney said in a recent complaint filed against Los Angeles County-USC Medical Center. The woman is suing the hospital and those involved for inflicting emotional distress and for breaching her personal medical records. The complaint outlines how a nurse took a photograph of the woman, dubbed Jane Doe. The photo was passed on to another woman whose son then obtained the image and posted it twice on the Internet.

Dixon, of the World Privacy Forum,said such inappropriate behavior among medical staff is rare, and most hospitals work hard to comply with the law. But once a medical file is breached or a patient’s information is leaked, it can be too late.

“When there’s a privacy breach, there are serious consequences that can be had there,” Dixon said. “My concern is in the rush to digitize all of our records, that sometimes privacy goes by the wayside.”