This case involves a woman whose roommate accessed and shared her sensitive medical records without her consent. Leading up to the event, the woman and her roommate had gotten into a dispute. Because of this dispute, the roommate vengefully logged into the plaintiff’s online records using easily-ascertainable personal information and sent the medical records to the woman’s partner. The records contained information regarding the woman’s history of an incurable sexually transmitted disease which her partner was unaware of. It was alleged that the hospital was negligent in providing sufficient security barriers for accessing sensitive records. An expert in electronic health records was consulted to determine if the hospital was in violation of any regulations that may have forbidden certain information from being accessible online.
Question(s) For Expert Witness
- 1. Please briefly discuss your background with electronic health records.
- 2. Have you encountered a similar scenario in your practice? How are such cases typically prevented?
Expert Witness Response E-070077
I have been involved with electronic healthcare records (EHR) as an end user, analyst, and administrator for 30+ years. This covers the spectrum of EHR – configuration, support, technical components, and clinical workflows, among others. I have not encountered an external security breach but several internal security breaches at a hospital with individuals accessing medical records beyond their scope of practice – lab data, medical histories, and medications. For internal user access issues, different security access rights can be created to limit what a user can access. However, this doesn’t stop someone with appropriate rights from looking at a patient they shouldn’t be accessing. HIPAA privacy and security rules provide a framework that hospitals are held accountable to.
Expert Witness Response E-088037
I have worked in healthcare for the last 6 years in roles responsible for securing the privacy and security of electronic health records. Prior to working in healthcare directly, I was a consultant and consulted with several different health systems. In the practices, I have worked at similar scenarios have either occurred or been feared. Prevention schemes include requiring in-person registration for online access to health records or requiring knowledge of a patient’s electronic medical record number, found on bills but not commonly known to family members, in addition to other more easily accessed information like social security number. A persistent adversary seeking access to an online medical record has a wide variety of approaches they can take depending on how determined they are so prevention may not always be possible while still meeting federal mandates around making these records accessible online.