As reported by the December 23 Rochester, Minnesota Post Bulletin, the Mayo Clinic has terminated two medical professionals, a physician and another staff member, after determining that they had inappropriately accessed a patient’s confidential electronic health records (EHRs).
The access highlights what should be a growing concern for health care industry employers: the increased availability EHRs provide about patients’ private information that is otherwise protected by HIPAA. As reported in the Bulletin, according to the President of the Minnesota-based Citizens’ Council on Health Care, “the development of the electronic medical record has allowed all sorts of people to have access” that they would not have had before the advent of EHRs.
As previously reported here, the risks of data breaches and misuses of personal information rise significantly when the information is in electronic format. The trend toward putting more information in electronic format will only continue given the significant cost savings through technological advancements and, for health information, federal subsidies for the adoption of EHRs. Despite protections mandated by law, the portability and availability of EHRs nevertheless facilitate the improper viewing or misuse patients’ protected health information.
The Mayo Clinic terminations come on the heels of a string of employee terminations in 2008 by the UCLA Medical Center, which, through investigations dating back to 2004, found that at least 127 employees had improperly accessed the medical records of celebrities. One employee was even indicted in 2009 after she was found to have purposefully removed the social security numbers of celebrity patients and recorded actor Farah Fawcett’s medical records. Farah Fawcett subsequently sued her.
While most medical providers are well-aware of HIPAA’s requirements, the interest in all things celebrity may be too much for some to resist. We expect that the American Recovery and Reinvestment Act of 2009 (ARRA) [pdf] may only increase the risk of privacy breaches for it provides incentives to health care-related businesses to develop even more extensive uses of electronic health records. However, even famous celebrities have privacy rights under HIPAA, and health care employers should revisit their policies, procedures and training in the area of maintaining patient privacy and more closely monitor the use of electronic medical records.