Nosy Healthcare Employees Snoop Electronic Medical Records
By Evidence Solutions, Inc.
Computer Technology and Digital Forensic Firm
Computer Technology and Digital Forensic Firm
Electronic Medical Records (EMR) and Electronic Health Records (EHR) are great tools that allow for data exchange between providers and faster access to a person’s medical history. Along with this ease of access comes the potential for abuse.
Healthcare workers use these systems to manage patient information, but access to a patient’s records should be limited to only those with responsibility for a patient's care.
Unauthorized access to a person’s electronic medical records has become easier and abuse is estimated to be high. The beauty of EMR & EHR systems is that audit trails are built in. So unauthorized access is easily detected, and in fact it is relatively trivial. Organizations just need to compare the list of caregivers that SHOULD have access to those that have accessed a person’s electronic medical record. And, in the age digital medical records, these unauthorized views are far too common.
EXAMPLE EMR DATA BREACHES:
Kayne West and Kim Kardashian had their baby in the Cedars-Sinai Hospital in Los Angeles, CA. on June 24, 2013. Between June 18 and June 24, 2013 Kim Kardashian’s medical records were inappropriately accessed. The hospital fired 5 individuals who accessed Kim’s medical records outside of their scope of employment. In addition to the 5 fired for accessing Kardashian’s records, a Sixth person was fired for accessing the records of 14 patients in that same time period.
In October of 2013, the Allina Health System in Minnesota notified approximately 3,800 patients that one of its medical assistants had improperly accessing their Protected Health Information (PHI) over approximately three years between February 2010 and September 2013. The record system which covers all of the Allina Health System, allowed the employee to access not only records at the clinic that in their employed location, but also records from other locations within the organization. The employee in this case, accessed: patients names, dates of birth, clinical health data, health insurance coverage information and partial Social Security numbers.
"We deeply regret that this occurred and want you to know we are committed to protecting the privacy of our patients’ personal information," the Allina website said. "To help prevent similar incidents from happening in the future, we are evaluating our policies related to protecting patient information, examining our computer security programs and continuing to educate employees on their obligation to maintain the privacy of patient information."
FEDERAL EMR MANDATES:
The Health Insurance Portability and Accountability Act (HIPAA) prohibits doctors, their staff and medical professionals from disclosing patient information without their permission. Violating HIPAA is a serious offense which can result in fines and criminal charges.
The Office of the National Coordinator's (ONC) Health Information Technology Certification (HITC) programs mandate that EHR technology meet minimum audit log requirements. All changes and actions to the patient record must be captured, in addition to dates and time of the action, user identification and ID of the patient record being accessed.
In addition to ONC requirements the HIPAA Security Rule along with the Health Information Technology for Economic and Clinical Health (HITECH) Act have specific requirements pertaining to audit logs and patient privacy.
ABOUT THE AUTHOR: Scott Greene of Evidence Solutions, Inc.
For over 30 years, Scott Greene has been helping companies meet the challenges of the swiftly evolving computer technology industry.
Directly from high school, Scott went to work for IBM. Scott studied Systems Engineering at the University of Arizona. He has since earned certifications in many products and programming languages.
The Evidence Solutions team analyzes data from Computers, Cell Phones, Black Boxes, Dispatch Systems, Medical Records, Email systems and more. Scott then explains the digital evidence in plain English.
Scott’s extensive knowledge draws clients to him from all over the United States as well as Internationally for consulting, Forensics and expert witness services. His extensive and diverse experience allows him to be an expert in many facets of digital and electronic evidence. Scott, a sought after speaker and educator, travels throughout the country sharing his knowledge and presenting to local, regional, national and International organizations.
Copyright Evidence Solutions, Inc.
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.