A false sense of security?
By ALLEN GILBERT | November 18,2012
Our electronic medical records are supposed to be protected by layers of security, and we expect that violators who breach the security will receive stiff punishments. But a Bennington woman — after her e-medical records were illegally accessed more than 100 times over a 12-year period — says privacy policies provide a false sense of security and penalties to deter breaches need to be much stronger.
Despite a Health Insurance Portability and Accountability Act investigation by the federal Office of Civil Rights that substantiated the unauthorized access of the woman’s records at Southwestern Vermont Medical Center, despite a review by the Licensing and Protection Division of the Vermont Agency of Human Services that found the hospital had failed to meet three key standards for medical records privacy and security, despite calls to the FBI, contact with legislators, and an investigation by the Bennington Police Department, the violator, Kathy Tatro, 54, of Bennington, was given a suspended sentence, fined $2,000, and made to perform 160 hours of community service in return for pleading guilty to four misdemeanor counts of unauthorized access of computer records. She continues to work in a hospital — although not the one where she spied on others’ records — and the hospital where the breaches occurred faced no reported sanction; it was only told it had to take corrective action so patients’ medical information was better protected.
To the victim, the penalty was just a slap on the wrist. The whole experience has “left me feeling extremely violated,” she told Judge Cortland Corsones at Tatro’s sentencing hearing Nov. 9 in Vermont Superior Court in Bennington.
This is believed to be the most extensive breach of personal electronic medical records ever reported in Vermont. In addition to tapping into the victim’s records 106 times, it also involved tapping the victim’s children’s records 94 times. The number of breaches, the length of time over which they occurred, and the inaction of hospital officials in promptly investigating suspicious records access patterns are beyond any scenario sketched by state health officials when describing the risks posed by storing patients’ medical information on electronic databases.
“What I’ve been through, nobody should go through,” the victim said in court. “What is the sense of having a HIPAA law if it’s not enforced? I’m angry at the hospital for not protecting me, for giving me a false sense of security that my privacy was protected.”
E-medical records may also contain what’s called “demographic data.” This includes a person’s date of birth and Social Security number. In the Bennington case, not only was the victim’s medical history revealed once her e-medical records were accessed, but so was information that could be used to assume her identity.
(Tatro was in fact originally charged with identity theft, a felony, but the charge was dropped after no evidence could be found that she had actually used the personal ID information she had obtained to impersonate the victim.)
Asked by the judge why she had looked at the records, Tatro answered, “Morbid curiosity.” She did so with no malice and no thought of personal gain, she said. Tatro is married to the victim’s ex-husband.
In announcing the sentence, Judge Corsones said Tatro’s crimes were “not crimes of violence, but they have had an effect on the victim.”
One effect, the victim explained in court, was how the system let her down. No investigation was begun nor any remedial action taken until she spoke up, complained, and dogged doctors, hospital administrators and trustees, state officials, federal officials, police officers, and the state’s attorney to do something. The privacy protections in place didn’t work on their own; she had to fight to protect her rights.
“I’ve exhausted all remedies. Justice needs to be done,” she told the court.
In addition to her suspended sentence and fine, Tatro must write a letter of apology to the victim and speak to health care workers about the importance of medical records privacy. She’ll be on probation for two years as well. But the penalties don’t add up to the punishment needed to deter others from doing what Tatro did, the victim said. “What I’ve been through is not fair.”
Here are the changes that are needed:
Sanctions against breaches need to be increased. An individual found to have accessed someone’s e-medical records should face stiff punishment; immediate dismissal is warranted, with appropriate criminal sanctions imposed. (The state’s unlawful access of computer data statute needs to include felony charges, not just misdemeanors.)
Regular audits of access patterns to persons’ records must be required; supervisors aware of unusual access patterns need to investigate and act quickly or face sanctions up to and including dismissal.
And — as with all personal information contained in computer databases — we need to make sure government officials, including police, can’t access our medical records without a warrant issued by a court.
Part of the state’s ambitious health care reform efforts centers on the development of a statewide e-medical records system. Soon, all of our medical records will be in electronic databases that can be accessed over the Web. Privacy and security policies and standards are a first step. But more must be done. Strong sanctions whenever a breach occurs will show that Vermont is serious about protecting Vermonters’ privacy.
Allen Gilbert is executive director of the American Civil Liberties Union of Vermont.