Celebrities—be they rock stars or presidential candidates or that crazy guy in the corner screaming about the end of the earth—are ultimately people. They will get sick, and that means that they will have to go to a hospital at some point.
Now, because there is a lot of sensitive and confidential patient data used in medical facilities, there are many laws and regulations forbidding the dissemination of such information, most notably the Health Insurance Portability and Accountability Act, aka HIPAA. Among other things, HIPAA requires that personnel who are not involved in the care of a patient do not access his or her medical information. Plus, medical workers are specifically forbidden from releasing patient information to unauthorized people.
I bring this up because the media is all over a story about twenty-seven hospital workers who were suspended because they accessed George Clooney’s medical information or revealed it to the media. The investigation is still ongoing according to some sources (about forty people are involved in total), but some of the things reported are egregious.
For example, according to CBS 2 HD (looks like they’re an affiliate to CBS):
Sources say while doctors were tending to Clooney’s injuries, employees not involved with his care logged into the hospital computer system to review his medical records.
CBS 2 HD has learned a security guard even gave out the number to one of Clooney’s family members.
Now, I have no idea what that last sentence means, honestly. It sounds as if it was taken out of context in the excitement of posting a story as quickly as possible. Also, some sources say that doctors were suspended as part of the group of twenty-seven, others say that no doctors were suspended…. The point is, it’s a mess. But let’s step back a bit.
The hospital management has come down harshly on these workers which is fair, I think (suspended for a month without pay). But, let’s also take time to look at the hospital management.
Before we do that, let’s revisit some information we were given: The security guard was able to access Clooney’s information.
Maybe it’s just me, but it sounds like there is a lack of effective controls at this particular hospital, especially if you include the fact that forty people are involved. I mean, HIPAA even goes into details regarding whether passers-by can see a worker’s computer screen and illegally access patient information in that oh-so-devious manner. Prevention of information leaks is a big part of HIPAA. Any medical workers who accessed Clooney’s information—I can’t blame the hospital management for that. A hospital needs an open environment that is flexible. People don’t go into cardiac arrests on schedules, right? And even with the best training in the world, some people behave like children when in contact with celebrities. However, if there were any non-medical workers who were able to access medical information, the blame falls entirely on the management.
AlertBoot would’ve helped in this case by ensuring that only the correct personnel have access to certain machines. The creation, inclusion, and deployment of users is a very easy process in AlertBoot. It is also very easy to define who has access to which computers. And with the robust reporting engine that we have in AlertBoot, one of them already created with HIPAA in mind, it would be a very simple process to audit which hospital personnel have access to which devices. Let me just point out here that including a security guard as part of your medical personnel, or even giving him access to hospital computers would be almost impossible if you’re using AlertBoot.
Plus, you use the same list to manage the encryption status of computers. Data encryption is not a requirement under HIPAA, but when you consider the thefts that occur in medical facilities, or the precautions hospitals have to take when getting rid of old computer equipment, employing data encryption is definitely an advantage. If the medical facility uses laptops and other mobile devices, full disk encryption can significantly reduce their ramifications of a data breach down the road as well.
On a separate note, the reason why I think one month of unpaid suspension is fair for the workers is the following. This is lifted straight from the AMA (http://www.ama-assn.org/ama/pub/category/11805.html):
Violations of the Administrative Simplification Regulations can result civil monetary penalties of $100 per violation, up to $25,000 per year.
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
I am not a lawyer, but that sounds like significant risk when compared to one-month’s salary.