Hospital Allegedly Fails To Establish Sufficient Security Measures For Online Medical Records

This case involves a woman whose roommate accessed and shared her sensitive medical records without her consent. Leading up to the event, the woman and her roommate had gotten into a dispute. Because of this dispute, the roommate vengefully logged into the plaintiff’s online records using easily-ascertainable personal information and sent the medical records to the woman’s partner. The records contained information regarding the woman’s history of an incurable sexually transmitted disease which her partner was unaware of. It was alleged that the hospital was negligent in providing sufficient security barriers for accessing sensitive records. An expert in electronic health records was consulted to determine if the hospital was in violation of any regulations that may have forbidden certain information from being accessible online.

Question(s) For Expert Witness

1. Please briefly discuss your background with electronic health records.

2. Have you encountered a similar scenario in your practice? How are such cases typically prevented?

Expert Witness Response E-070077

I have been involved with electronic healthcare records (EHR) as an end user, analyst, and administrator for 30+ years. This covers the spectrum of EHR - configuration, support, technical components, and clinical workflows, among others. I have not encountered an external security breach but several internal security breaches at a hospital with individuals accessing medical records beyond their scope of practice - lab data, medical histories, and medications. For internal user access issues, different security access rights can be created to limit what a user can access. However, this doesn't stop someone with appropriate rights from looking at a patient they shouldn't be accessing. HIPAA privacy and security rules provide a framework that hospitals are held accountable to.