Watch CBSN Live

Why Hospitals Don't Want You to Know Who Looks at Your Medical Records

The American Hospital Association, a lobbying group for hospitals, is urging the Obama Administration not to enforce a rule that requires healthcare providers to tell patients who has accessed their medical records. Although the AHA claims it doesn't want to add a new layer of bureaucracy in hospital management, nixing the rule would also keep patients in the dark about how easily accessed their "private" medical records are.

Most of us imagine our medical records sitting unseen in a locked filing cabinet, only being read when the doctor herself needs to examine us. But under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, telemarketers, debt collection agencies, the Social Security Administration and your boss all have access to some or all of your medical information under certain circumstances.

Worse, electronic medical records in the databases of large institutions like hospitals are often open to any employee who has a computer terminal and a system password. In 2008, UCLA Health System paid $865,500 to settle allegations with the federal government that as many as 70 employees were checking out the health records of celebrities such as Britney Spears, Farrah Fawcett and former California first lady Maria Shriver. One administrative assistant was caught selling the information to the National Enquirer.

100 different remote logins
In some institutions, there just aren't that many safeguards preventing any random nurse or assistant from browsing the records of interesting or prominent patients. You don't have to be very prominent to be "prominent," either. According to Marion Jenkins of the consultancy QSE Technologies:

For example, we did some HIPAA security work some time back for a clinic in a small town. Most of the area clinics and providers -- and many members of their staffs -- had remote access into the local community hospital's IT systems. A few months before our engagement there, and unrelated to it, there was apparently some kind of weekend altercation involving a well-known, high-profile local couple, and one of them ended up in the hospital ER.

By Monday morning there had been over 100 different remote logins to the hospital's electronic record system. It probably wasn't a single provider checking the details on his/her patient -- it was other people in town, no doubt merely curious or looking for gossip fodder.

Allowing patients to know who gets to look at their records, and when, would create an incentive for hospitals to be more careful with patient data. It would also give patients a more realistic idea of how much privacy they don't have.

AHA: we already suck
The AHA argues hospitals shouldn't have to do this because they are already incompetent at handling medical records:

For many hospitals these records are maintained across several different systems (both electronic and paper). In order to comply with a request for an access report for PHI [patient health information] maintained in a designated record set electronically, it would require manual identification and compilation of relevant records from each system.
Many electronic systems that qualify as part of designated record set, such as billing systems,
may not have the required functionality to allow them to easily download access to one patient's information. Therefore, in practice, hospitals may have to resort to printing records from such systems and then manually compiling them to provide a comprehensive report of access to PHI in electronic designated record sets.
In other words, AHA says, our systems are so screwed up that the simple act of extracting information from them is too difficult.

The Health and Human Services Administration should ignore the AHA. The new guidelines cover "electronic records." It would be neither difficult nor unreasonable to ask hospitals to change their software to require officials to identify themselves when accessing a record, perhaps with a password. The software could then store the identity and time the access was made, and a summary of the information accessed, as required by the new proposed guidelines. It could also lock out non-medical staff, or show them only need-to-know information.

That doesn't seem too laborious. Dealing with patients who are shocked at how many total strangers have looked at their medical files is another story.


View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.