How Secure Are Medical Records in the Age of Digital Record Keeping?
When you go to the hospital, federal law says that only doctors, other health care providers and those who pay for your care, such as insurance companies, can access your medical records. But what protects patients against the prying eyes of health care professionals who take a less than professional interest in their medical history?
In 2008, “Jane” had a brief sexual relationship with Dr. Joshua Welch, who was then a family physician at Fletcher Allen Health Care in Burlington. Because he was married, Jane assumed that all aspects of the Welch affair would remain confidential.
But shortly after their relations began, Jane — who asked to remain anonymous due to the nature of her case — developed a condition that led her to wonder, among other things, whether she had contracted a sexually transmitted disease from Welch. She informed him via email that she was going to get tested.
What Jane didn’t expect, however, was that Welch would use his doctor privileges at Fletcher Allen to snoop through her medical records. Only later did Jane learn that she tested negative for STDs. In the meantime, she suspected that Welch had gone through her files without permission. In August 2008, she notified Fletcher Allen of her suspicion and requested an audit of her medical records. In October, she filed a formal complaint with the Vermont Board of Medical Practice. A month later, Welch resigned from the hospital.
A subsequent investigation by the state medical board determined that Welch had indeed accessed Jane’s records without her authorization, as well as the records of seven other women who weren’t his patients — a violation of the federal Health Insurance Portability and Accountability Act, commonly known as HIPAA. Under a stipulation and consent order signed on February 2, 2010, Welch was slapped with a six-month suspension that was applied retroactively. Plus, his medical license was “conditioned” for another five years, meaning that he agreed to corrective measures, including counseling and professional supervision.
Asked about Welch’s punishment, Jane says she has no idea if justice was served; she has no basis for comparison. Either way, she’s troubled by a bigger concern: Why did it take Fletcher Allen two years to discover her privacy was breached, and then only after she notified the hospital of her suspicions? More importantly, she asks, what, if anything, has been done to ensure that patients’ confidential files aren’t similarly compromised in the future?
Fletcher Allen administrators are unwilling to discuss details of the Welch case, calling it an internal “personnel matter.” However, they point out that since Welch left the hospital, Fletcher Allen has implemented a new electronic records system known as PRISM — short for Patient Record and Information Systems Management — which, they say, doesn’t make snooping impossible, but far less likely to escape detection.
The $58 million rollout, which “went live” on June 6, 2009, for all in-patient units, eliminates the cumbersome paper charts that follow patients through the hospital. Instead, their medical histories, drug prescriptions and progress are tracked electronically in a database that can be accessed from work stations throughout the hospital. Among other things, PRISM protects patients against the inadvertent privacy breaches that can occur when charts are left lying around.
Additionally, 10 off-site medical practices affiliated with Fletcher Allen are now using PRISM; more than 30 are expected to be online within 18 months. In total, more than 8000 clinicians throughout Chittenden County will be able to access a single patient’s chart at the touch of a button.
But what keeps those records from falling into the wrong hands? Chuck Podesta is Fletcher Allen’s chief information officer. On any given day, he explains, the system audits the entire e-records database looking for abnormal trends and unusual use patterns. For example, the system flags individuals who access the system with unusual frequency, as well as hospital employees who access the records of fellow employees.
By design, the system cannot be too restrictive, Podesta explains. If a patient comes into the hospital through the emergency department, then moves to the intensive care unit, then later to another floor, those records must be accessible to many caregivers all along the way.
“But they do know that we do this auditing on a regular basis,” Podesta says, “and they know that if they go someplace where they’re not supposed to be, they could be caught.”
A few transgressors have already been caught and disciplined, though Podesta describes those violations as minor and not maliciously motivated. He cites one example in which a hospital employee used the system to look up the upcoming birthday of a patient. That employee was disciplined and educated about the proper use of the system.
Whatever the intent of the breach, federal law requires that patients be notified whenever their confidential records have been compromised, whether the source is a rogue doctor or a stolen laptop loaded with unencrypted data on 5000 patients. A new federal regulation enacted as part of the 2009 HITECH Act threatens stiffer penalties for HIPAA violators and promises periodic audits by the Office for Civil Rights (OCR).
The number of complaints is increasing, but some consumer advocates point out the OCR only investigates and prosecutes a “minuscule” fraction of them.
Allen Gilbert is the executive director of the American Civil Liberties Union of Vermont. Though Gilbert isn’t critical of the PRISM system per se, he is concerned that state regulators at the Department of Banking, Insurance, Securities and Health Care Administration approved Fletcher Allen’s e-records system before adopting clear privacy and security guidelines.
And, since Fletcher Allen is the state’s first hospital to switch to a paperless chart system, it will become the de facto standard as other, smaller hospitals follow suit. It’s worth noting that the American Recovery and Reinvestment Act of 2009 provides financial incentives to hospitals that implement e-record systems by 2011, which is expected to accelerate the adoption process. On February 12, Vermont’s congressional delegation announced the release of nearly $12 million in federal funds to move Vermont’s doctors’ offices and hospitals to paperless records systems. The goal: to improve patient care, reduce medical errors and maintain the security and privacy of patient records.
“Fletcher Allen has tried to build a lot of safeguards into the system, and PRISM is very good,” Gilbert suggests. “But I don’t think there’s been the coordination and oversight from the state that a lot of people, particularly consumer advocates, were hoping for.”
For her part, Jane says she isn’t likely to take her case to court. Under federal law, individuals have no private right of action on HIPAA violations, meaning that unless she can prove she was personally or financially harmed by her breached privacy, she cannot file suit against Welch. Ironically, if she did, her identity and private medical records likely would be made available to the defendant, his attorneys and the press, undermining her overall goal of keep her medical info confidential.
It’s worth noting that HIPAA violations can be criminally prosecuted. Jane says she’s been contacted by the OCR and the FBI, but, to date, no criminal charges have been filed in her case.
The U.S. Attorney’s office in Burlington declined to answer any questions about it.
“I have no faith in the system,” Jane concludes. “As I’ve been told over and over, nine times out of 10, these cases go nowhere.”