Medical Records of the Rich and Famous - A Huge Risk

Recently a major settlement was reached between the U.S. Department of Health and Human Services (HHS) and UCLA Medical Center, over a breach of patient records. It involved the improper access of several high-profile/celebrity patient records - by multiple internal employees over many years.

This case is remarkable on several fronts.

First of all, the financial settlement amount was $865,000. While that might not be a bank-breaker for an organization as large as UCLA, that amount is far from trivial.

Second, the case is noteworthy - or maybe a more appropriate term is notorious - for its breadth and depth of both the overall timeframe during which the breaches occurred and the number and diversity of employees involved. The episodes of unauthorized access lasted for nearly five years - at least that we know of. According to news accounts, 70 or more current or former UCLA employees were involved. Some of them were motivated by mild curiosity, some by retribution, and some by greed. One employee was charged with selling the protected health information to a leading national tabloid; this high-level employee was fired and also pleaded guilty of federal felony charges. Another employee is alleged to have improperly accessed both celebrity and employee files over 300 times after he was terminated. He was sentenced to four months in prison, apparently the first person to face prison time over HIPAA violations.

Neither HHS nor UCLA have confirmed the names of the celebrities involved, but numerous reports have mentioned such names as Britney Spears, Michael Jackson, Farrah Fawcett, Maria Shriver, Arnold Schwarzenegger, and many others.

You might think this case has little to do with your practice or facility. After all, only Hollywood has this concentration of VIPs/celebrities. Better think again. In every community there is a small group of well-known people whose private lives - and especially their medical records - would be of potential interest or even possible financial value to certain people.

For example, we did some HIPAA security work some time back for a clinic in a small town. Most of the area clinics and providers - and many members of their staffs - had remote access into the local community hospital’s IT systems. A few months before our engagement there, and unrelated to it, there was apparently some kind of weekend altercation involving a well-known, high-profile local couple, and one of them ended up in the hospital ER.

By Monday morning there had been over 100 different remote logins to the hospital’s electronic record system. It probably wasn’t a single provider checking the details on his/her patient … it was other people in town, no doubt merely curious or looking for gossip fodder.

The lesson for you? Make sure you train your staff to be aware of HIPAA Privacy and Security rules (the two are different and both are critically important - HIPAA Privacy governs paper records and HIPAA Security covers electronic records). Second, make sure they clearly understand that unless they have a legitimate business or medical reason to access a medical record - in either paper or electronic form -they are expressly prohibited from doing so.

Here is a simple and straightforward exercise to bring this point home to your staff, the next time you get together for HIPAA training, make a list of four or five famous people in your community. Think not only of your mayor or governor, but famous sports figures, successful business leaders, leading socialites, and the like. Then ask your staff to think how cool it would be if one of those famous people came into your facility. Just think of the recognition it would bring, the prestige, the fame. Then think about what would happen if your medical facility ended up in the news, connected to one of these famous people, but in the wrong kind of way.

Your staff will probably get the idea.

For more on Marion Jenkins and our other bloggers, click here.