I was running my usual searches and the like to find items that I might want to post to my blogs, when I came across a link to an item and where the first line or so of the entry in the search engine results looked interesting. So I clicked on the link, only to be taken to a Blogspot notice:
This blog is open to invited readers only
Well, I clearly wasn’t an “invited reader,” but I was curious and so I decided to see if I could access the entire blog entry. It took less than a minute, of course.
Sadly, the person who wrote the blog entry has no idea that what she thought is secure and private is neither. Because she does not give her email address anywhere, I cannot send her an email to alert her that if she’s really concerned for her safety as well as her privacy, she needs to secure her blog better. Or better yet, remove it from the web altogether.
In any event, here’s just a small bit of what the situation involved. I’ll assume that the facts are as she alleges:
1. She is a patient at Hospital A.
2. Hospital A grants all physicians a login that gives them access to all patients’ records, not just their own.
3. An employee of a physician who is not, and has never been, her physician has repeatedly accessed her hospital files numerous times over a multi-year period. The employee does so for the usual kind of personal reasons.
When the patient contacted the hospital, they reportedly denied all responsibility for the breach and pointed at the physician whose employee was inappropriately accessing the files.
The physician said that it was not his responsibility to protect the PHI of someone who isn’t his patient.
The medical licensing board won’t take a complaint against the physician because there is no doctor-patient relationship.
There’s a lot more, of course, but that’s the issue I wanted to address here.
Although the blogger focuses on the employee and physician, this is a matter that should be reported to HHS. The hospital has, in my opinion, clearly failed big time to control access to patient records. They have also failed to audit access logs. This is a failure on the hospital’s part.
While the patient may have some cause of action against the employee, someone needs to straighten the hospital out. if the allegations are true, their failure to take responsibility for this privacy breach is offensive, to say the least.
And no, I do not know the name of the hospital. I do wonder if they ever advised the patient that she had the right to file a complaint with HHS if she was not satisfied with their response. There’s no mention of that in her account of the breach.