First it was "Clooneygate", when healthcare workers at a hospital in New Jersey improperly accessed the medical records of George Clooney, and where dozens of healthcare workers were suspended.
Now the LA Times is reporting
here that a number of healthcare workers at the UCLA medical center also recently improperly accessed the medical records of Britney Spears. UCLA is firing 13 healthcare workers, and disciplining a number of others.
Clearly there are HIPAA violations in both cases. Healthcare organizatio
ns are caught in a difficult spot here, as their culture has been first and foremost about providing quality care, which generally means getting clinicians fast (and fairly open) access to patient data. The idea of limiting access to just those with a "need to know" is contrary to the way in which hospitals have operated for the last 100 years or so.
So despite what the HIPAA Security and Privacy rules say about limiting access to EPHI (and they aren't super granular here in specifying need to know on a per patient or per case basis), it goes against the grain in terms of how HCO's have actually operated for a long time.
Jim Hietala
Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University.
Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
