On my way to work this morning I was appalled to hear journalists reporting on a ProPublica article released today on hospitals and medical facilities blatantly violating patients’ medical privacy. Many of the instances were clearly human error such as handing a patient the wrong file, but what was shocking to me were the several instances in which employees accessed patient files or the files of other employees in order to snoop or for more nefarious reasons like blackmailing whistle blowers. As a compliance officer, the first red flag is CONTROLS. But as a human being, I am saddened by the lack of ethical judgment of the employees. This ultimately stems from a lack of empathy for their fellow employees and the patients in their care.
How were employees able to access patient and employee records so easily? One instance describes 109 pages of patients’ full names, DOBs, SSNs, gender, height, weight, name of medication, clinic name, provider’s name and more were printed and discarded in a trash bin which was later placed outside for normal trash pickup (instead of shredded), and was discovered by cleaning staff who reported it to the compliance department (thankfully!). Why was a staff member able to print such comprehensive information on so many patients on one report? Why were SSNs, DOBs etc not masked for privacy before being printed (a system control)? Why was an alert not immediately sent to a compliance officer notifying them that patient data was downloaded and printed?
Another incident involves a male VA employee who was allegedly dating or wanted to date a female patient. He accessed the patient’s records while off duty. Shockingly, his supervisor argues that he did not need to know about the breach because it occurred outside of his employee’s working hours!
The central article on ProPublica’s website describes CVS call center employee Joseph Fenity who was also a pharmacy customer of CVS. While walking by an open office he overheard co-workers discussing his prescription for ADD medication (which was disclosed to the co-worker while on duty as a call center representative). The employee was fired, but Fenity was so embarrassed he took a leave of absence and was later fired for not returning to work.
Processes and procedures to encrypt private data and prevent data from being downloaded or shared without necessity are critical, but organizations (large and small) must do a better job of training employees to empathize with the faceless patients who are trusting these organizations with their most private information. What kind of organizations would we have if empathy was ingrained within the corporate culture just as much as productivity and revenue? Colleagues, shareholders, customers all deserve empathy in addition to mere compliance controls.