How does one prevent snooping of patient records through a hospital, regional or local clinical information system? Reading an article in The Medical Post earlier today title, 'Suspension, $22k fine for doctor who snooped into patient files' I was brought back to some work that I had done in 2006/2007 as a participant on the British Columbia eHealth provincial privacy working group. At that time we had many discussions regarding the privacy of patient information and the risk of inappropriate access by medical professionals.
The Medical Post article describes a situation in which an Edmonton physician at the Misericordia Hospital accessed the medical records of three patients with whom she did not have a physician relationship. The access took place via a hospital computer after a colleague failed to log out of a computer terminal. The disciplinary action was brought against the physician by the College of Physicians and Surgeons of Alberta and it was found that she was aware of the inappropriate access as well as the fact that she would not leave a fingerprint trace of her access as she used another physician's login to access the records.
This is one of those potentially avoidable situations that is unfortunate for both the patients and the perpetrating physician. After the fact identification of privacy breaches are the norm in today's world, in large part because the mechanisms to identify inappropriate actions generally take place through either a complaints or post-event audit process. It is very difficult to avoid breaches such as this particular example which appears to have had a calculated element to it, although the physician in question did not 'disclose or make use of the information' in any way. In addition to the fine, the physician received a 60 day suspension and was also ordered to attend an ethics class.
As EMR/EHR/Clinical systems become more commonplace in hospitals as well as variety of other clinical settings, this incident raises a flag in two areas:
- All clinical team members should receive more extensive training on appropriate access to and use of electronic health information, including the ethics related to inappropriate access, and
- Clinical systems need to integrate more effective mechanisms to both identify inappropriate behaviours early through real-time analytics as well as integrate warnings and alerts that deter inappropriate access in advance of the actions occuring.
If this physician was aware of the risks and realized that her behaviour was going to be detected, I doubt that she would have proceeded.
To add your thoughts or comments, click on the 'Comments' link below.