« More Snooping at UCLA: Farrah Fawcett’s Medical Privacy Breached | Main
“It Was Just Me Being Nosy,” Claims Snooping Employee in UCLA Medical Privacy Breach
By Privacy Maven | April 9, 2008
The employee at the center of the UCLA Medical Center medical privacy breach scandal, claims nosiness as her motive. That’s somewhat akin to a security guard caught sleeping, saying, “That was just me taking a nap.” Although UCLA would not release her name, the LA Times found her and interviewed her.
The UCLA Medical Center employee who allegedly pried into the private medical records of the governor’s wife and 60 others in a burgeoning scandal was a low-ranking administrative specialist who told The Times on Tuesday that “it was just me being nosy.”
“Clearly I made a mistake; let’s put it like that,” Lawanda J. Jackson, 49, said when asked in a telephone interview why she improperly looked at the records of so many patients, including California First Lady Maria Shriver and actress Farrah Fawcett.
“I didn’t leak anything or anything like that,” said Jackson, who had worked at the hospital since she was 16. “It wasn’t for money or anything. It was just looking.”
UCLA took steps last May to fire Jackson after determining that she had inappropriately accessed dozens of electronic medical records, UCLA officials say. But the employee resigned in July before she could be fired, spokeswoman Roxanne Moster said. (Previously, the hospital told The Times that it had fired Jackson.)
Neither UCLA nor state health officials have confirmed Jackson’s identity, but The Times was able to verify it.
The breaches have triggered several state investigations and created a major embarrassment for UCLA. The hospital could face serious sanctions from the California Department of Public Health, and Jackson could face criminal charges for allegedly violating a federal privacy law.
Although such charges are uncommon, federal prosecutors in Los Angeles have launched a preliminary inquiry into the matter, a source in the U.S. attorney’s office said Tuesday.
“We’re certainly interested and we’re looking into it,” said the source, who asked not to be named because he was not authorized to speak publicly about the case.
Among the 61 patients whose records Jackson allegedly viewed in 2006 and 2007 were 33 celebrities, politicians and other well-known people, state officials have said.
UCLA’s ability to keep patients’ information private has been at issue since The Times reported last month that the university was trying to fire 13 workers and was disciplining 12 others for peeking into the records of pop star Britney Spears, who was hospitalized in its neuropsychiatric unit in January. (More.)
Britney Spears
As the LA Times article goes on to point out, it may not be as simple as one nosy employee. In an earlier story, the LA Times discussed other celebrity medical privacy breaches at UCLA.
When asked last week if there were other recent high-profile breaches along the lines of the ones involving Spears and Fawcett, UCLA’s chief compliance and privacy officer Carole A. Klove said, “Not to my knowledge.” A UCLA spokeswoman said Sunday that Klove was referring only to current cases.
While looking into the breaches in Fawcett’s case, a state inspector discovered the other violations Friday. The state Department of Public Health said it now has several investigations underway, and it is working with the federal government.
“UCLA assured us — the state — that the initial breach [of Spears’ records] was an anomaly,” Belshé said. “And we have since learned that, simply put, it is not anomalous.”
The latest development at UCLA highlights the irony that as privacy laws have become stronger, the computerization of medical records can increase the risk of unauthorized scrutiny.
Such widespread breaches, however, appear to be rare. Computers allow UCLA and other hospitals to track which employees call up individual records.In Spears’ case, Feinberg said, UCLA was able to quickly identify trespassers and take almost immediate action against them, demonstrating that the medical center had learned from previous lapses.
Shriver and Gov. Arnold Schwarzenegger were notified Friday evening that her records had been viewed inappropriately, state officials said Sunday.
Shriver, a former contributing anchor to Dateline NBC and niece of President Kennedy, could not be reached Sunday.
In a statement, Schwarzenegger said that “a breach of any patient’s medical records is outrageous” and that he had called on his administration to take action after the first incident — Spears’ case — was reported last month.
“Patients’ medical records should be private — period,” Schwarzenegger said. “No one should have to worry that an unauthorized person is reviewing their private medical records.” (More.)
California Governor Arnold-Schwarzenegger and First Lady Maria Shriver
The problem is not lack of laws, but lack of enforcement.
When Congress passed a federal medical privacy law more than a decade ago, it was hailed as a new level of protection for patients nationwide. But even though the government has received about 34,000 complaints of privacy violations since it officially began enforcing the law five years ago, only a handful of defendants have been criminally prosecuted.
The half a dozen or so cases mainly involved clerical workers who pilfered patient information, using it to open credit card accounts or selling it to crooks who tried to bilk Medicare and the Internal Revenue Service.
Moreover, although the federal Health and Human Services Department has the authority to levy civil fines on medical service providers for privacy violations, it has yet to do so.
The recent revelation of snooping by UCLA Medical Center employees into the files of Britney Spears, Farrah Fawcett, California first lady Maria Shriver and dozens of other patients, however, may force a second look at the federal law, widely known as HIPAA, the Health Insurance Portability and Accountability Act of 1996.
Critics say the government’s approach — which focuses on getting providers to correct violations — may be too lenient, particularly at a time when medical records are increasingly being shifted from file folders to computers. In addition, a Justice Department legal opinion has stated that the law applies primarily to organizations — hospitals, health insurance plans and doctors’ offices — and only secondarily to individuals such as the low-level clerks most often implicated in information theft.
“If you are punishing the [organization] but not the person who actually did the dirty deed, then we are missing the boat,” said Doreen Z. McQuarrie, a Houston lawyer who specializes in healthcare issues and has studied the federal law.
The law was supposed to have had its greatest impact behind the scenes, ushering in a new era of sensitivity to patient privacy in the healthcare industry. But skeptics say that has not been the case.
“What the rules were supposed to do was regulate one of the most common conversations we have: ‘How are you?’ ” said Dennis Melamed, editor of the Health Information Privacy/Security Alert, which tracks the law and its enforcement. “They did it with an incomplete set of instructions, and when you are talking about an industry as huge as healthcare, that gets to be pretty difficult.” (More.)
In the final analysis, something needs to be done besides officials making the usual apologetic, hand wringing statements after the fact. To learn more about U.S. medical privacy laws and what you can do to protect yourself, see the following resources.
- EPIC Medical Privacy Resource Page
- Office for Civil Rights - HIPAA
Topics: Public Figures and Privacy, Medical Privacy |