HIPAA breakdown fuels pop star’s fading public image

by Steve Ragan - Mar 20 2008, 11:00

Interesting IT news this week, UCLA Health System employees might be facing fines and termination over leaked information and unauthorized access to Britney Spears’ medical information.

Oops! My privacy was violated. UCLA Health System employees might be facing fines and termination over leaked information and unauthorized access to Britney Spears’ medical information. (IMG: J.Anderson)

Rarely will you see IT and celebrity gossip cross over, however, in this case there is an underlying IT issue that the tabloids and legit news have failed to cover. The LA Times is reporting that in all thirteen employees are to be fired, and at least six are suspended for accessing Britney Spears’ medical records during her treatment at the UCLA Medical Center.Earlier this year Spears was admitted to UCLA against her will under Section 5150 of California’s Welfare and Institutions Code. This code reads in part that anyone admitted to it can be held for 72 hours and if deemed a danger to others to themselves they can have it extended. Britney spent most of January under hospital care. She was released February 6 by the hospital.During her prolonged stay, the LA Times says that various staff accessed her medical records. It does not take a genius to assume the same staff could have fed the media with most of the gossip and personal information that leaked during the time.The problem is that most of the news is centering on the termination of the staff and not the lax security taken to ensure HIPAA compliance. Cedars-Sinai Medical Center in Los Angeles told the LA Times that its records of Spears and other high-profile patients are flagged so that access is highly restricted. This should be the case for anyone, why is it only for high-profile people?The Times story has lots of comments and statements defending the hospitals. They do everything they can, the report says, to educate staff on patient confidentiality. However, this shouldn’t be needed as they are all entering into, or are already a part of, the medical profession where patient privacy is given top billing.Where is the network security in all of this? The IT Staff creates and enforces access and compliance policy. Why were there no reports of UCLA IT staff facing termination? How is it that so many people are granted access to these records?There is a whole series of standards and policy for IT centered on HIPAA compliance alone. The US Department of Health and Human services offers seven different papers on the subject from their Centers for Medicare and Medicaid Services (CMS) website. It is apparent from the Times story that there was only basic protection offered to patient records. While there is obvious protection, the likely failing is policy. Too many people have too much access.UCLA has not addressed this in the press, and they have not responded for comment. However, this story while almost comical in nature, can present a perfect example of while when dealing with compliance issues in IT, you have to ensure that you start form the ground up in terms of who has access to what, and where that access can lead in the future.Opinion:While this LA Times story caught my eye over the HIPAA issue and security, the sad truth is Britney Spears was the focus and not the overall issue. The headline: "UCLA gets a good look at Britney's Privates" comes to mind. However, that joke, while funny is just too easy.“People still gossip,” Lois Richardson of the California Hospital Assn. told the Times. “They're nosy; they're curious. They want to be able to tell their friends, 'I saw Britney's records.' Their friends are asking. That's just how people are.”This is true, but this is also the reason strong policy enforcement is needed in the IT field. It is sad to think that millions are spent on IT security, but simple record restrictions would have prevented this. I have no love for Spears; I feel she brought her troubles on herself. However, she did not deserve to have her civil rights violated. No one does.It is very likely that because she is who she is, Spears’ records were open for mass consumption. During her ordeal, daily news, including medical information, was reported online and over the air.There is also the issue that most of the staff slated for termination are basic and regular workers, and none of the MD’s were targeted. While I still think the IT staff needs looked at, the obvious stance of “let’s protect the doctors” is an issue all its own.

Talkback

Add your comment (no registration required)

page: 1

CuriousMar 20th, 2008 - 13:45:12

What evidence is there that healthcare software supports patient privacy anyways? Patients have no options for controlling access to their health records.

Report this comment

SteveMar 21st, 2008 - 06:55:52

@Curious

Sadly, you are correct, but there are measures on the books that should be enforced, and UCLA failed to enforce them. My wife is an MA, so I learned all about HIPAA, and from how she explained it the system is - at best - being secured at 40% or so. Some offices are apparently still using paper records.

I guess my grip is that while the employees were wrong to access private info they did not need access too, IT was just as guilty for allowing them the access.

Report this comment

Curious CanadianMay 15th, 2008 - 20:16:56

I see lots of criticism towards IT but no concrete solutions to the problem in this article. The article doesn't mention what level of employee's were accessing Britney's data. Nurses, doctors and many practitioners need to be able to access patient data to do their jobs. The fact that IT was able to do an audit on the medical system records and find logs on which employee's viewed Britney's confidential data shows that they did do their job.

IT can't stop a health care employee or doctor who is authorized to access patient information from viewing patient records. You failed to enlighten us how it's possible to put access controls on each individual patient from users who are authorized to view that data. That's just silly. The fact that you would even hint at blaming the doctors makes no sense to me either. If a nurse who has signed an confidentiality agreement logs into her user account and views Britney's data and leaks it to the press than she is in breach of contract and should be fired. It's not IT's fault for her actions.

Now if it were a cleaning lady, janitor or mail delivery person who managed to walk in and steal Britneys records to leak to the press than there needs to be tighter access controls. Of course this article leaves lots to the imagination and doesn't describe critical details in assessing who is to really blame so how you can PIN it on IT is beyond me. IT can't stop a nurse from sharing a username and password with a colleague and IT can't force employees to follow best practices. The employees are warned when they're hired how to handle private data and they're the ones who are responsible.

Report this comment

page: 1

Add your comment (no registration required)

Security

HIPAA breakdown fuels pop star’s fading public image

Talkback

Latest

Latest Articles on Monsters&Critics

In The Tech Herald

Site

The Fine Print