Iowa hospitals crack down on employee snooping
Clark Kauffman of the Des Moines Register has a round-up of area hospitals that have fired employees for snooping in patient files:
In each of the cases, the workers had unfettered access to portions of patients’ medical records. Some allegedly used that access to snoop through the patient files out of purely personal interest, while others are accused of improperly sharing patient information with others.
- Mahaska County Hospital fired a patient-orders coordinator for snooping. One of the patients whose data were improperly accessed was a volunteer at the hospital; the other was the ex-wife of the coordinator’s current boyfriend. Another patient-orders coordinator at the hospital was also fired for snooping; some of the patients whose records she improperly accessed were the mother of her adopted child, her ex-husband, her husband, and other relatives. The hospital did not seem to have uncovered the privacy breaches on their own and only seem to have found them when others filed complaints.
- Keokuk Area Hospital fired an employee after she allegedly used Facebook to exchange public messages about a patient with another health care professional.
- Mercy Hospital Medical Center of Des Moines fired an employee for snooping into patient files they had reportedly been cautioned not to access — files that related to the birth of a child at the hospital.
- University of Iowa Hospitals fired a clerk in the phlebotomy clinic in a “loose lips” incident. According to the newspaper report, she allegedly told a co-worker, in the presence of several other hospital employees, about a patient who played on one of the university’s sports teams, revealing both his name and medical condition for which he was having blood drawn.
According to Kauffman:
In each of the cases, the workers had unfettered access to portions of patients’ medical records.
Security and access controls — as well as audits of access logs — are an essential part of good security and privacy controls. Although the hospitals may have done the right thing in terminating employees who violate patient privacy, and keeping in mind that in at least some cases, they did not discover breaches on their own, it would be nice to know what changes they have since made to prevent unfettered access.
Thanks to the reader who sent in this link.