Clooney factor puts privacy on stage
Not every hospital gets the opportunity to take care of George Clooney. And officials at New Jersey’s Palisades Medical Center are probably regretting their brush with fame after learning that some doctors and nurses took an unauthorized look at the film star’s medical records during his recent stay following a minor motorcycle accident.
Nevertheless, experts say the so-called Clooney incident will teach hospitals and healthcare providers a valuable lesson about patient privacy: Make sure you audit.
“It’s an evolving issue, and one that’s not going to go away right now,” says Reese Hirsch, a San Francisco-based healthcare law regulatory and transactional expert with the law firm of Sonnenschein, Nath & Rosenthal, LLP. “Locking down records is often very problematic from a patient standpoint.”
At the University of Texas M.D. Anderson Cancer Center in Houston, which has seen its share of high-profile patients, EMR Director Chuck Suitor says an application feature flags “patients of high interest” during the registration process and establishes an additional level of authentication for viewing medical records. In addition, the compliance office audits all access to medical records.
As someone logs on, Suitor says, he or she is reminded of the sensitive nature of a patient’s medical information – and that they’re being monitored.
“We are reading what you’re doing,” he says. “We can tell what you’re looking at and we can tell your intent.”
Suitor says the Clooney episode points out that today’s technology is working. Prior to the advent of electronic medical records, he says, hospital administrators would never be able to know for sure who took a peek at a patient’s paper records.
Robert Seliger, co-founder and CEO of Sentillion, an access management vendor, says hospitals have to deal with security issues regardless of whether the patient is famous.
“It’s not just about celebrities – there are neighbors, family members and others out there, too, who might want to look (at someone’s medical records),” he says. “There are computers and access points all over hospitals these days, which is wonderful … but a hospital has to know how to manage these.”
Robert Wolstra, vice president of marketing and business development for Encentuate, says hospitals are moving quickly to adopt new access management technology, “but to my surprise, we’re always running into new scenarios.”
Vendors like Encentuate and Sentillion now offer solutions that not only verify a person’s identity, but also offer “strong authentication” to make sure the right people have access to the right information – in other words, says Wolstra, “to enforce the role that you have been assigned.” The burden, he says, is on the vendors to make access as easy as possible without affecting security.
“You can always find loopholes,” he says.
Seliger, who testified before Congress last year on security and access issues following the theft of a laptop from the Department of Veterans Affairs, says a hospital has to balance immediate access to medical records by medical personnel with a patient’s right to privacy. To do this, administrators have to have security and audit measures in places, and make sure everyone is well educated on the issues.
“Do not impede the care delivery process, but let it be known that patient records are monitored and that there are policies in place,” he says. “The combination of technology and the right value system can’t single-handedly solve everything,” but it does put a hospital on solid footing.
“It is very difficult to practice respectful privacy and deliver healthcare these days while using IT to do both,” he added.
According to Hirsch, there are no standards in place because there are so many EMR systems in use, each with different audit and tracking capabilities. And while organizations like the Healthcare Information Technology Standards Panel (HITSP) identifies standards and specifications to keep patient information secure in an electronic environment, it’s up to the hospitals and healthcare providers to mix the right amount of technology with education.
“Clooney is a high-profile example, but these things happen on a daily basis,” he points out.
Suitor believes Palisades administrators made a public issue out of this breach of security to prove a point: With the right technology in place, hospital employees will be held accountable for every visit into the domain of electronic medical records. Palisades Medical Center officials have not publicly discussed their privacy protocols and what if any security IT is in place. Repeated calls to the hospital were not returned.
“I think that they’re actually lucky that they only got suspended,” he said.