The Security Scrutinizer with Howard Anderson

Privacy Protection: Deterring Snoops

High-Profile Patients Can Be Breach Targets
Privacy Protection: Deterring Snoops

When a high-profile patient arrives at a hospital, some curious staff members who are not involved in his care may be tempted to take a peek at his medical records. Some may see the action as harmless. But it's clearly a privacy violation that merits tough discipline.

The Dayton Daily News in Ohio reported this week that Miami Valley Hospital sent a letter to accident victim Brennan Eden, informing him that four employees inappropriately accessed his medical records. Eden was in the news when he was involved in a spectacular car crash captured by police video on Aug. 23.

The hospital did the right thing in making Eden aware of the breach of his privacy. But a hospital spokesman told the newspaper that the four employees are being disciplined in accordance with human resources policy, declining to reveal the level of discipline. And that's a big mistake.

Punishing Privacy Violators

As I pointed out in a blog earlier this month, Mayo Clinic took a much more clear-cut approach in similar circumstances. Mayo fired six employees for inappropriately looking at one patient's records and then publicized its disciplinary action.

Although Mayo was tight-lipped about the details of the breach, it did a good job of communicating a zero-tolerance policy toward internal privacy breaches.

A zero-tolerance policy, like Mayo's, can be a powerful deterrent. But at the very least, hospitals and others should spell out to record snoop victims, as well as the public, precisely how they disciplined those who violated their privacy.

Small Breaches Are Serious Too

When it comes to breach prevention, much attention is being paid to avoiding major breaches affecting 500 or more patients, which must be reported within 60 days to the Department of Health and Human Services' Office for Civil Rights under the HITECH Act's breach notification rule.

But preventing smaller breaches, which must be reported to federal authorities annually, is equally important. Just ask Brennan Eden.

So how will your organization discipline employees who snoop at the records of celebrities, people in the news or any other patient? Have you got a clear-cut policy in place? We'd like to hear from you.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.