New reports out of LA show that the UCLA Medical Center employees love looking at the medical records of celebrities. Nice!
So, the employees got caught looking and now they're paying the price. I get that. I'm supportive. More interesting to me is that in a small, medium or large HR shop, HR people have access to a lot of PHI data, often without the login security and tracking that an EMR provides. Also, a lot of data exists in medical files related to PHI. Here's the $64K question. If given the chance, would your HR people look at that data and maybe look up a code on the treatment provided? Are you sure?
More on the UCLA Medical Center situation from the LA Times:
"Even after UCLA Medical Center warned employees that it was cracking down on unauthorized access to medical records, the privacy of a "well-known individual" was breached by two nurses and an emergency room technician who called up the patient's computerized records in mid-April, according to a critical state report released Monday.
Monday's report was the fifth by the public health agency following articles in The Times this year about UCLA employees' prying into the records of celebrities and prominent patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.
State regulators continue to fault the hospital for failure to take adequate steps to maintain patient confidentiality. After the April violations, the report said, one nurse was fired and the two other employees received warnings.
The latest findings detail how one employee -- a former administrative specialist who faces federal criminal charges for violating Fawcett's privacy -- looked at the records of 939 patients "without any legitimate reason" from April 2003 to May 2007. In previous reports, the state had linked her to viewing the records of about 60 patients. She also looked at other personal information, including Social Security numbers, the state now says."
Now, that's what I call an admin gone bad... Do you even know what your employees have access to? How do you protect access to this type of information on Joe Schmoe? The same procedures/systems that protect Schmoe protect Paris.
Human nature is at work here. We're imperfect. Name a privacy officer in your department and route all system access, dealing with Medical vendors, FMLA certifications, etc. through them unless someone has the need to know or is working the case.
I mean, can you imagine how many HR people would take a peek at David Hasselhoff's medical history? The life-event section of the employee file alone probably requires one of those book-size rubber bands....