Share
Interesting IT news this week, UCLA Health System employees might be facing fines and termination over leaked information and unauthorized access to Britney Spears’ medical information.
Oops! My privacy was violated. UCLA Health System employees might be facing fines and termination over leaked information and unauthorized access to Britney Spears’ medical information. (IMG: J.Anderson)
Rarely will you see IT and celebrity gossip cross over, however, in this case there is an underlying IT issue that the tabloids and legit news have failed to cover. The LA Times is reporting that in all thirteen employees are to be fired, and at least six are suspended for accessing Britney Spears’ medical records during her treatment at the UCLA Medical Center.
Earlier this year Spears was admitted to UCLA against her will under Section 5150 of California’s Welfare and Institutions Code. This code reads in part that anyone admitted to it can be held for 72 hours and if deemed a danger to others to themselves they can have it extended. Britney spent most of January under hospital care. She was released February 6 by the hospital.
During her prolonged stay, the LA Times says that various staff accessed her medical records. It does not take a genius to assume the same staff could have fed the media with most of the gossip and personal information that leaked during the time.
The problem is that most of the news is centering on the termination of the staff and not the lax security taken to ensure HIPAA compliance. Cedars-Sinai Medical Center in Los Angeles told the LA Times that its records of Spears and other high-profile patients are flagged so that access is highly restricted. This should be the case for anyone, why is it only for high-profile people?
The Times story has lots of comments and statements defending the hospitals. They do everything they can, the report says, to educate staff on patient confidentiality. However, this shouldn’t be needed as they are all entering into, or are already a part of, the medical profession where patient privacy is given top billing.
Where is the network security in all of this? The IT Staff creates and enforces access and compliance policy. Why were there no reports of UCLA IT staff facing termination? How is it that so many people are granted access to these records?
There is a whole series of standards and policy for IT centered on HIPAA compliance alone. The US Department of Health and Human services offers seven different papers on the subject from their Centers for Medicare and Medicaid Services (CMS) website. It is apparent from the Times story that there was only basic protection offered to patient records. While there is obvious protection, the likely failing is policy. Too many people have too much access.
UCLA has not addressed this in the press, and they have not responded for comment. However, this story while almost comical in nature, can present a perfect example of while when dealing with compliance issues in IT, you have to ensure that you start form the ground up in terms of who has access to what, and where that access can lead in the future.
Opinion:
While this LA Times story caught my eye over the HIPAA issue and security, the sad truth is Britney Spears was the focus and not the overall issue. The headline: "UCLA gets a good look at Britney's Privates" comes to mind. However, that joke, while funny is just too easy.
“People still gossip,” Lois Richardson of the California Hospital Assn. told the Times. “They're nosy; they're curious. They want to be able to tell their friends, 'I saw Britney's records.' Their friends are asking. That's just how people are.”
This is true, but this is also the reason strong policy enforcement is needed in the IT field. It is sad to think that millions are spent on IT security, but simple record restrictions would have prevented this. I have no love for Spears; I feel she brought her troubles on herself. However, she did not deserve to have her civil rights violated. No one does.
It is very likely that because she is who she is, Spears’ records were open for mass consumption. During her ordeal, daily news, including medical information, was reported online and over the air.
There is also the issue that most of the staff slated for termination are basic and regular workers, and none of the MD’s were targeted. While I still think the IT staff needs looked at, the obvious stance of “let’s protect the doctors” is an issue all its own.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story