January 19, 2007

Ease of info access can be tempting — and costly

Featured Image

Ease of info access can be tempting — and costly

If you have an urge to use one of VUMC's patient databases to check on a colleague, you might want to think twice before acting.

The VUMC Privacy Office wants Medical Center faculty and staff who have access to patient databases such as Star Panel and Wiz Order to keep in mind that access to patients' medical records is being closely audited for potential privacy violations.

Audits by the Privacy Office have uncovered instances where faculty and staff inappropriately accessed medical records of co-workers, or others not under their care.

Allen B. Kaiser, M.D., chief of staff for Vanderbilt University Hospital, said peering into a co-worker's medical records without appropriate authorization, even when done with the best of intentions, is a violation of VUMC policy.

While such violations have been rare, when discovered, they have resulted in probation and even termination.

“The Privacy Office has found that violators are most often of two types,” Kaiser said. “One type is the individual who is curious about one facet of a co-worker's personal information, such as what hospital room they are in if hospitalized, or maybe something as innocent as a home phone number.

“So rather than going about trying to find out this information through appropriate means, they go into someone's records and only then realize they have 'crossed the line' by having access to this person's very personal health information,” Kaiser said.

“The other common type of privacy violator is the individual who is interested in facilitating quicker access to medical records, so they share their user name and password with someone who reports to them. Perhaps the individual does this to facilitate the processing of large numbers of medical records. Because the other individual in this equation may also have access to Star Panel, this may seem innocuous.

“But the fact someone is entering into these records under someone else's ID opens the door for further inappropriate use,” Kaiser said.

Presently the Privacy Office is conducting audits of 50 percent of the medical records of Vanderbilt employees who are admitted as patients.

“So you have a 50/50 chance of being caught if you are found doing something inappropriate,” Kaiser said. A goal of the Privacy Office is to eventually audit 100 percent of Vanderbilt family records.

“I think we are becoming more accustomed to using Star Panel all over campus and have integrated its use into the way we work,” said Gaye Smith, VUMC privacy official.

“We're becoming somewhat desensitized to the amount of information that's immediately available.”

Smith said that in many instances where faculty and staff have opened unauthorized medical records, people just weren't thinking about it as a possible privacy violation.

“When these individuals are confronted, often they are immediately apologetic when they realize what they have done and that there is a better way to go about what they were trying to accomplish,” she said.

However, in a handful of instances the intent of the privacy violator has been to harm a co-worker in some manner through the use of this inappropriately obtained information.

“Whether an employee has a compassionate concern or malicious intent about a colleague is carefully investigated and is factored into the disciplinary action,” Smith said.

Using Star Panel or other patient databases for unauthorized purposes is strictly against VUMC policy. When instances of privacy violations are discovered during the auditing process, or are reported by co-workers or patients, this triggers an investigation by the Privacy Office.

During these investigations the Privacy Office looks closely at the intent of the individual who accessed the medical records, or who illegally shared their access ID with others.

The individual's intent or actions then help determine the punishment, which can include censure or even dismissal.

The Privacy Office wants to remind all employees who have access to confidential patient information via medical center databases to be aware their access to these records is being carefully watched.

“We can tell what documents have been opened and precisely how long someone was looking at them,” Smith said.

Smith said there is an existing Medical Center form that employees can complete if they wish for individuals other than those authorized to have access to their medical records. Without this completed document, even spouses are violating VUMC's privacy standards by accessing their husband or wife's medical records.

Only a person's own medical records, or the records of children (minors) whose parents have legal guardianship rights, can be accessed without prior authorization.

“Without appropriate documentation, even the seemingly innocent act of looking at a spouse's records is a violation,” Smith said.