In classified environments, information is only available on a need-to-know basis. If you have no official business pertaining to a file, then you don’t need to know. Healthcare professionals should consider HIPAA to be a similar environment.
Last year, Congress passed HITECH, which tightened restrictions on healthcare privacy and increased penalties for transgressions. Unauthorized access to patient records can lead to jail-time. A surgeon working as a researcher at UCLA was sentenced to jail under the HIPAA. What happened? Here’s the rest of the story:
Huping Zhou, a cardiothoracic surgeon, was working at the UCLA School of Medicine as a researcher. His employment was terminated, but UCLA’s IT department didn’t block his access to electronic medical records at the same moment; it took the university some time to process retraction of the doctor’s authorization to the database. In that interrum, Dr. Zhou accessed and read his immediate supervisor’s medical records, as well as those of former co-workers. Then, over the next few weeks, his curiosity led him to remotely access of other medical records he was unauthorized to see, including those of celebrity patients.
Authorities acknowledge that Zhou didn’t try to sell the information. Zhou’s attorney, Edward Robinson, says the doctor, a Chinese immigrant, didn’t know it was a federal crime. Last January, Zhou pled guilty to four misdemeanor counts of violating the HIPAA privacy rule. He was sentenced to four months in jail.
File snooping out of curiosity is not considered authorized access. There is no Need To Know. Accessing records of a neighbor, child’s teacher, or friends without authorization can land a doctor and his practice in hot water. HIPAA isn’t just a good idea or ethic. HIPAA is being actively enforced, and the powers that be are paying attention to who accesses what files.
Another practical reminder: Before responding to a rant about your practice on a doctor rating site, remember that HIPAA was not designed to encourage robust debate in the marketplace of ideas.
It is even worse as many hospitals encourage staff people to write in glowing statements about others on the staff so that the hospital looks good to the public.
EMR vendors often require access to their clients servers for maintenance and updates.
Increasingly, EMR products use internet-based servers or cloud solutions.
If EMR vendors use software development teams in a foreign country (e.g., India) where HIPAA laws do not apply, what protections are in place to prevent infringements on U.S. confidentiality regulations by the software technicians in those foreign countries?
Is this potential vulnerability real?
I wonder if individuals working for insurance companies have been criminally charged under HIPAA.
Dr. Zhou should have known what he was doing was at the least very unethical. Ignorance of the law, in my opinion, is sometimes an excuse, but not in this case. The article doesn’t say how he got caught which make me curious for more information on the case.
The very nature of electronic records and activity, encrypted, controlled access or otherwise, makes privacy a leaky bucket (at best). Sure, he should have simply stopped his access, but the entire situation should make ALL of us aware that there really is no sure path to privacy. For instance, did you know that visits to certain websites drop a “cookie” into your computer and they can then follow you everywhere after that – and indefinitely – and that your behavior on the internet is then sold, not once, but countless times?
Major corporations are hacked routinely. Who gets penalized there? The developer? the software companies? the hosting companies? the makers of the servers?
Our entire culture is being prodded into voyeurism through the countless “reality” shows, home videos, social sites and blogs. If we expect to regain any type of privacy, there needs to be a culture shift at home and in the media.
I feel bad for this doctor. Ignorance of the law is inescapable as there are increasingly new rules and laws that affect everything we do. Keeping up with them all is an impossibility.