It happened again — yet another high-profile security breach involving a patient record has been reported. But this one didn’t happen in California and it didn’t involve a hospital employee seeking information to leak to a tabloid.
A few days ago, several workers at Shands Jacksonville Medical Center, part of the eight-hospital Shands HealthCare system, were fired for violating the privacy of a patient. The employees, who included nurses, administrative workers and PR staffers, were accused of breaking privacy rules by accessing the medical records of Richard Collier, an offensive tackle for the Jacksonville Jaguars football team. Collier was hospitalized after being shot 14 times on Sept. 2. According to reports, an unidentified gunman approached the 26-year-old while he waited in his SUV outside an apartment building and opened fire. The 26-year-old survived, but was left paralyzed from the waist down and lost one of his legs.
This case really grabbed my attention; not just because I’m a football fan, but because it seems like a situation where a breach in security posed a significant threat both to the patient and to those treating him. This goes beyond just a violation of privacy — when a patient is the victim of what appears to be a violent crime, it becomes even more paramount that his information is safely guarded.
That being said, I have just as much of an issue with hospital workers who sell information about the mental health condition of a patient who happens to be a pop star to the media. All patients — whether they are professional athletes, actors, singers, lawyers, or teachers — are entitled to privacy when they enter an ED. And while it shouldn’t be more of a concern if the records that are being leaked (or inappropriately viewed) belong to celebrities, these cases can serve an important purpose in lighting a fire under the behinds of the powers that be. Too many security breaches are occurring, and more needs to be done.
In a recently released report, the HHS Office of the Inspector General questions how effective CMS has been in ensuring that providers are protecting patient records, and says that the agency's efforts have fallen short of ensuring compliance with the HIPAA security rule. (For more information, please see Reece Hirsch’s posting from a few days ago, which gave an excellent perspective on the issue).
With this kind of pressure from HHS/OIG — combined with negative press stemming from the recent breaches — the timing is ripe for hospitals to step up their security. Patients have enough to worry about while they’re being treated; the idea that their records could fall into the wrong hands shouldn’t even enter their minds.
But it had better be on the minds of hospital executives.