Comments (0)

By Dissent, June 19, 2013 6:32 am

It seemed to be “just another” case where a district health board made a mailing error and sent a patient’s records to the wrong party. But the response of the privacy commissioner disturbed me somewhat.

The West Coast District Health Board has apologised after it posted two pages of a woman’s private medical records to the wrong person.

The papers were mistakenly sent to Ashburton woman Jen Branje, who was living in Westport when she had surgery at Grey Base Hospital last year.

She lodged an ACC claim, and asked the hospital to post her records to back up her complaint.

They arrived in the mail, but were accompanied by two additional pages belonging to a different Westport woman with a completely different name and NHI patient number.

“I could understand it if they hit the wrong computer button,” she told the Greymouth Star today. However, the information she received was in paper copy.

Ms Branje started trying to contact the other woman, and also phoned the Privacy Commissioner, who told her the files should be immediately returned to the hospital, their contents must not be disclosed and she must not contact the other woman.

She was told it was up to Greymouth Hospital, not her, to disclose the breach.

“Must not contact?” If the privacy commissioner ordered or tried to forbid someone from calling anyone about a breach, doesn’t that exceed some authority somewhere? Yes, the hospital or district health board needs to contact the patient about the matter, but telling the recipient that she must not contact the patient strikes me as… wrong. Unless there is some law in New Zealand that I don’t know about that prohibits such contact?

Read more on New Zealand Herald.

Comments (0)

By Dissent, June 18, 2013 3:21 pm

In a statement on their web site linked from their home page as a privacy notice, Ephrata Community Hospital in Pennsylvania writes:

Ephrata Community Hospital takes our obligation to protect our patients’ personal health information seriously. Regrettably, this notice concerns some of that information.

On April 16, 2013, we learned that one of our employees had accessed patient medical records prior to that date. Viewing these medical records was outside the employee’s job duties. We immediately began an investigation and confirmed that the employee viewed some patients’ electronic medical records and may have accessed clinical information. The employee did not access any Social Security numbers or other financial information, and Ephrata terminated the employee.

We have no reason to believe that the information was used in any way, but as a precaution, we began sending letter to affected patients on June 14, 2013. We have also established a dedicated call center for patients to call with any questions. If you believe you are affected but have not received a letter by July 1, 2013, please call 1-888-414-8021, Monday through Friday between 9:00 a.m. and 7:00 p.m. Eastern Time. When prompted, please enter the following 10-digit reference code: 8934061413.

We regret any inconvenience this may cause our patients. To help prevent something like this from happening in the future, we are reinforcing education with all staff regarding the importance of maintaining the confidentiality of our patients’ information and appropriate care-related access to patient records.

The hospital did not respond to emails sent both yesterday and today asking them when the improper access first began, how the hospital discovered or learned of the breach, the department the employee worked in, and the number of patients affected.

Comments (0)

By Dissent, June 14, 2013 7:13 pm

In a press release issued yesterday and posted today, HHS writes:

Shasta Regional Medical Center (SRMC) has agreed to a comprehensive corrective action plan to settle a U.S. Department of Health and Human Services (HHS) investigation concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The HHS Office for Civil Rights (OCR) opened a compliance review of SRMC following a Los Angeles Times article which indicated two SRMC senior leaders had met with media to discuss medical services provided to a patient.  OCR’s investigation indicated that SRMC failed to safeguard the patient’s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR’s review indicated that senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.  In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.

“When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior,” said OCR Director Leon Rodriguez. “Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”

In addition to a $275,000 monetary settlement, a corrective action plan (CAP) requires SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members.  The CAP also requires fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.

The Resolution Agreement can be found on the OCR website at:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf

Comments (0)

By Dissent, June 14, 2013 6:01 pm

Associated Press reports:

The Veterans Affairs hospital in Fayetteville says documents containing the personal information of nearly 1,100 veterans were found in a recycling bin two months ago.

The Fayetteville VA Medical Center announced Friday it’s notifying the 1,093 affected veterans whose consultation reports from the optical shop were incorrectly placed in a recycle bin over a three-month period. The documents found April 17 contained patients’ names, Social Security numbers, dates of birth, addresses and prescriptions.

Read more on Enquirer-Herald. There doesn’t seem to be any statement on the center’s web site as of the time of this posting.

Comments (0)

By Dissent, June 14, 2013 7:53 am

In the U.S., we expect entities to take strong and effective action to address employee snooping or improper sharing of patient confidential information. But a professional group in New Zealand is not happy with the Auckland District Health Board’s response to a breach previously reported on this blog involving a patient who sought emergency treatment for an eel up his tuchus . His records were shared among staff and somehow made their way to the media, leading to the ADHB disciplining over 30 employees at Auckland City Hospital.

Ruth Larsen reports that the ADHB’s circulation of the privacy agreement has drawn some strong criticism from the executive director of Association of Salaried Medical Specialists:

Particularly objectionable is a clause stating passwords and logins must never be shared, and staff are accountable for all transactions in Auckland DHB information systems under their login/password, he says.

There are often good reasons for other staff members to share patient files, Mr Powell says.

Wait, what? There are good reasons to share patient files, but if you let a colleague access a file under your login and you walk away, do you know what else they’re accessing? How many times have we seen this here – where shared logins or failure to log out led to theft of patient information? The ADHB is correct, in my opinion, to reinforce the importance of not sharing passwords and login credentials.

Under the agreement, staff are also expected to ensure anti-virus software is installed and up-to-date on the computer they are using.

Well, okay, there I might agree with any pushback. That shouldn’t be on employees unless it’s a BYOD, and should rest with the hospital’s IT department.

Sending out the agreement shows a top-down mentality within the DHB, he says.

However, ADHB chief executive Ailsa Claire says in a media statement the privacy agreement is one all staff sign when they begin employment at the DHB.

It is exactly the same document that has been in use since 2008, Ms Claire says. (emphasis added by me)

“We are reissuing it to raise awareness of privacy and the absolute commitment ADHB has to ensuring patients’ records are not inappropriately accessed.”

Ms Claire acknowledges there are “issues” with the form and has given a commitment to work with staff to remedy them.

ASMS members have been advised not to sign the agreement and the association has requested the DHB replace it with a reminder to staff of their obligations regarding privacy.

Note that this was posted on nzDoctor.co.nz. Because they do not include a copy of the agreement, it’s impossible to know exactly what the wording is and what changes might be reasonable to make, but no, it is not enough to just remind staff of their obligations to protect privacy and confidentiality. Employees need to sign agreements, they need to know they are being watched and that their access is being logged and audited, and they need to know that there are consequences for failure to adhere to the privacy policies. The protections are their for the patients, and if staff finds them inconvenient or that they interfere with patient care, start a serious discussion, but it is not effective to just send a reminder as the association is requesting. We have too many breach reports proving otherwise.