The Adobe Flash Player is required to view this multimedia interactive. Get it here.

Electronic health records raise fresh privacy fears

Potential access can extend to hundreds or thousands of hospital and/or clinic workers.

Man, 68, drowns at Caesar Creek Lake
5/26/12
Water rescues prompt warning from health officials
5/25/12
Beach Waterpark sued for failure to deliver
5/25/12
Raleigh Trammell’s defense opens in felony trial
5/25/12
UD to move satellite campus to Dublin
5/25/12
> More headlines

By Ben Sutherly, Staff Writer Updated 1:20 AM Saturday, October 23, 2010

DAYTON — Electronic health records are widely seen as a way to improve patient care, reduce duplication of services, and potentially cut costs in the U.S. health care system.

But they also raise fresh privacy concerns, with hundreds or thousands of employees having potential immediate access to a patient’s sensitive medical information.

A possible information breach at Miami Valley Hospital is one of the latest local reminders of those privacy concerns. It involves Brennan Eden, a “high-profile” patient whose sensational Aug. 23 vehicle crash on Interstate 675 was captured on video viewed nationwide.

About 200 hospital employees accessed Eden’s medical records, but it’s not yet clear whether any of that access was due to curiosity. Under federal law, workers may only access a patient’s electronic medical records for a legitimate business need.

Eden was seriously injured after he sped along I-675. His Pontiac Firebird hit a culvert, launching it into an overpass. The force broke the car apart, ejecting the 19-year-old Mason man onto the highway during the morning rush hour.

Eden’s mother, Andrea Eden-Shingleton, said she hopes her son, who suffered “major traumatic injuries,” will make a full recovery. He is at home after being released from the Drake Center in Cincinnati on Sept. 23.

Many patients would be shocked to know how many people can access their electronic medical records, said Dr. Deborah Peel, founder of Austin, Texas-based Patient Privacy Rights, a privacy advocate.

Some health care provider’s electronic medical record systems are woefully inadequate when it comes to patient privacy and don’t do enough to limit access up front, Peel said.

“The electronic medical record just makes the privacy you deserve as a normal person very difficult,” Peel said. “It’s a reality. These systems are not secure.”

Paper records also have their problems, said Harry Rhodes, who specializes in patient privacy for the trade group American Health Information Management Association. Often, they’re not physically secured, and keeping track of hundreds of paper copies of medical records can be very difficult.

Technology has been developed to limit up-front access to patient information, including “role-based access,” which only lets certain employees enter patient records, Rhodes said.

He acknowledges that there have been issues in the design of electronic health record systems, but says the industry hasn’t ignored them.

Neither should patients.

“Consumers should ask questions about what steps are being taken to secure their electronic health records,” Rhodes said. “That makes (health care providers) realize they need to pay attention to it.”

Local hospitals say privacy is paramount

Access to Brennan Eden’s medical records came up as a “teachable moment” during an Aug. 28 meeting of managers at Miami Valley Hospital.

The meeting was just days before Premier Health Partners on Sept. 1 rolled out a more uniform patient privacy policy for employees across its hospitals, including Miami Valley. For some hospitals within Premier’s system, the privacy policies are more stringent.

Premier is on pace to do 750 to 1,000 audits this year to deter inappropriate access and in response to patient requests, a spokeswoman said.

Premier, the Children’s Medical Center of Dayton, and Kettering Health Network, which has performed 33 audits so far this year, said they place great emphasis on education.

“We really do want to educate and emphasize the confidentiality of the medical record” to employees, said Dianne Judge, vice president of corporate compliance and enterprise risk at Premier Health Partners, whose largest hospital is Miami Valley Hospital.

Hospitals are responding in part to larger fines for patient privacy violations. Prior to February 2009, a health care provider faced a maximum fine of $100 per privacy violation. Now, the cap is $50,000, said Rachel Seeger, spokeswoman for the Office for Civil Rights.

Hospitals also must publicly disclose breaches affecting at least 500 people. Earlier this year, the Children’s Medical Center of Dayton had to make public its improper disclosure of the names of 1,001 children who visited its diabetes clinics. The names were given to a local diabetes association for a summer diabetes camp mailing list. The hospital was not fined.

If there was inappropriate access to Brennan Eden’s files, he will be notified within 60 days, according to the hospital.

Andrea Eden-Shingleton said she reported the potential records breach to the Office for Civil Rights to ensure that someone besides hospital administrators look at her son’s case. “I hope they find absolutely nothing,” she said.

According to the Office of Civil Rights, only 11 percent of complaints filed between April 2003 and December 2009 in Ohio were found not to be valid.

Contact this reporter at

(937) 225-7457 or

bsutherly@DaytonDailyNews.com.

Share this article