N.J. volunteer EMS agency says patient data was breached
Leila Merrill reports:
A volunteer EMS agency in New Jersey says in a news release that patient data in New Jersey was breached, and it has requested formal hearings in the state Senate and Assembly Health Committees.
The Lincoln Park First Aid Squad, also known as Lincoln Park EMS, announced that it and other squads that are part of the EMS Council of New Jersey 17th and 18th Districts, inadvertently found that the state health department’s office of EMS gave the New Jersey State Police’s Fatal Accident Reporting System access to an electronic medical records system used by ambulance services throughout New Jersey. This is said to be an administrator access, which is high-level, without oversight, and includes access to medical records.
Read more at EMS1
A key part of the press release says:
Federal HIPAA regulations require the Squad to report to the U.S. Department of Health and Human Services any instances in which medical records were accessed without proper authorization. The Squad, through its attorneys Keavney & Streger, LLC, contacted Dr. Terry Clancy, Director of the Office of EMS, to obtain information and determine the nature and scope of the medical records accessed. Rather than provide details to facilitate the investigation, Director Clancy responded that this was normal business under a separate data sharing agreement which has strict limits on the type of information accessible related to opioid overdoses. Instead, this appeared to be a completely new granting of blanket access to any medical record without controls. Rather of answering these reasonable questions, the Squad and its members were threatened with discipline for pausing data sharing with the State to ensure privacy protections during the investigation.
The Squad contacted Commissioner Judith Persichilli with these concerns, but no reply whatsoever was received to that request. As a result, the Squad has requested formal hearings on this topic in the Senate and Assembly Health Committees.
So if this was an accidental misconfiguration that allowed access, you’d think the state would issue a statement and investigate and notify properly. Instead, it sounds like the squad feels they are being stonewalled or lied to. Was this legitimate and permissible access or not? If the state won’t investigate, maybe HHS OCR will.