Octomom Patient Privacy Breach
Posted by Kurt Johnson - VP Strategy on Wed, Apr 01, 2009
It was
reported yesterday that 15 hospital employees were fired, and another eight disciplined, for viewing patient records without permission. It appears that the employees of Kaiser Permanente Bellflower Medical Center viewed the patient records of infamous octuplet mother Nadya Suleman, (aka Octomom) without a medical reason.
This is just the latest incident in which private patient records have been accessed by employees in violation of hospital policy and healthcare privacy laws. A similar story broke last year at UCLA hospitals where medical records were violated for various celebrities including Britney Spears and Farrah Fawcett leading to firing, suspensions, and warning for approximately 175 hospital employees.
It's critical that organizations truly understand who has access to what. Is this access appropriate? Is it within hospital policy? Does it violate HIPAA policy? As may, or may not, be the case here, the access itself may be appropriate, but the activity was not. These employees may have had valid access, but they had no right snooping into Octomom's medical information. It's critical that organizations gain control not only on access, but on user activity as well, and ensure this is within policy.
Today's healthcare organizations can't be too careful when it comes to ensuring that their users only have access to what they need in order to properly perform their jobs. As I discussed in a recent blog posting (HIPAA Compliance - This Time We Mean It) The Department of Health & Human Services has really stepped up their enforcement of privacy laws recently and it's more important than ever that hospitals employ every tool at their disposal to protect patient data from such breaches - or risk severe penalties." This is going to be particularly important for California hospitals like UCLA and Kaiser since California Gov. Arnold Schwarzenegger recently signed into law legislation that increase state fines for security and privacy violations involving patient health information. The bills include mandate security controls for preventing unauthorized access to patient data.
Developing an access assurance strategy can provide strong controls for protecting privacy information and complying with regulations like HIPAA. It's imperative that organizations take steps to properly define the policy around who should have access to what, ensure they have the ability to enforce this policy, continuously monitor and detect when access and actions are inconsistent with that policy, and remediate and document when policy violations occur.