The disclosure Friday that two hospital employees inappropriately accessed the electronic medical record of Omaha’s former Ebola patient isn’t necessarily an indictment of electronic record-keeping, two health-care experts say.
“This is not a problem unique to electronic health records,” said Alwyn Cassil, a spokeswoman for the Washington, D.C.-based National Institute for Health Care Reform. “There is, unfortunately, a long track record of human nature being such that curiosity got the better of people.”
After The World-Herald asked about the firings Thursday night, the Nebraska Medical Center on Friday confirmed that two employees were fired after looking at the records of Dr. Rick Sacra, the American medical missionary treated in the hospital’s biocontainment unit for an Ebola virus infection.
Accessing such records is a violation of the federal Health Insurance Portability and Accountability Act, or HIPAA, which protects the privacy of individually identifiable health information.
The hospital said the breach was discovered during an audit of electronic medical records. Officials said they conducted an investigation and took corrective action. They declined to elaborate other than to say the two employees involved were not working in the biocontainment unit or involved with Sacra’s care.
People who access patient records leave an electronic trail behind that can be tracked, Cassil said. “If somebody sneaks a look at a paper record, there’s no way to keep track of that,” she said.
Paper records, of course, must be thumbed through one at a time. Someone accessing electronic records could review thousands of people’s files if they thwart safeguards.
HIPAA requires health-care providers to guard against unauthorized access to records through several means, including risk assessments, implementation of security measures, regular reviews of information system activity and sanctions for workers who fail to comply.
Still, plenty of such breaches occur. On its website, the U.S. Department of Health and Human Services posts breaches of unsecured protected health information affecting 500 or more people. A recent such posting involved a Florida hospital where more than 82,500 patients’ names, dates of birth and Social Security numbers were accessed. Patients were notified of the breach earlier this month.
Required reviews of electronic records reveal who is accessing the records and whether they are authorized to have access, said Angela Rose, an official with the American Health Information Management Association.
“You should have access based on the type of user you are,” Rose said. A registration clerk, she said, “shouldn’t have the same access as the physician or the nurse who is going to be treating you.” Along those same lines, she said, a hospital president or a chief financial officer doesn’t need access to patient records.
Failure to protect the information can result in large fines. In April, the owners of a Missouri physical therapy center agreed to pay HHS’ Office for Civil Rights $1.7 million after an unencrypted laptop containing patient information was stolen.
“The government is taking more of a role in enforcing the rule,” Rose said. “There was a time when there were no HIPAA police. Now there definitely are HIPAA police.”
Sacra drew national media coverage as the third American medical missionary returned to the U.S. for treatment of the often deadly Ebola virus. There also was great interest in what experimental drug the Med Center was using to treat him, something that wasn’t disclosed until 18 days into his treatment.
Sacra was treated in the Omaha hospital’s biocontainment unit from Sept. 5 until Thursday. The doctor, who contracted the virus while treating patients in Monrovia, Liberia, was released after tests performed this week showed he was virus-free.
Other hospitals across the country have dealt with similar privacy breaches involving high-profile patients’ records. A Los Angeles hospital fired six people after patient records were inappropriately accessed during several days in June 2013, a period when reality TV star Kim Kardashian was in the hospital to give birth to her daughter with rapper Kanye West.
The Nebraska Medical Center’s statement says it has “zero tolerance for unauthorized access to patient information. In accordance with HIPAA regulations, Dr. Sacra was notified in person and in writing before his departure from the hospital.”