Dear Washington Post: Patient privacy rights are no joke

I read with dismay last week's article by well known Washington Post business columnist Michelle Singletary, who questioned whether several hospital employees should have been fired by a hospital in New Zealand for inappropriately accessing the hospital's electronic health record to view the information of a patient with a "titillating" medical emergency, and then sharing the records with the public and media.

It turns out that more than 30 employees improperly accessed and/or publicized the patient's records. The hospital fired a few and disciplined others.

Singletary wondered if they should have been fired since "it would have been hard to resist" looking at the records, and implied that perhaps the hospital had acted harshly since, after all, the patient hadn't filed a complaint.

But she didn't say one word about whether the employees violated the law (New Zealand has health privacy laws comparable to ours), or whether the hospital had an obligation to investigate and take disciplinary action.


A supposedly well informed national business columnist (and her editors) who don't understand that hospital staff can't inappropriately review patient records simply because they have easy electronic access and the records make for good gossip.

HIPAA has been on the books since 1996. State privacy laws go back even further. There has been a lot of publicity about privacy rights. People have gone to jail simply for snooping; for instance, in 2009, an Arkansas doctor was fined $5,000 and sentenced to perform 50 hours of community service for looking up the record of a hospital patient from his home computer out of curiosity. The Post's fact checkers would easily have picked this up in a search of their own archives.

But if the Washington Post is going to run a one-sided commentary questioning whether these people should have been fired, this does not bode well for health IT.

For one, the article provides inaccurate information. An individual who's less familiar with HIPAA might think that patients don't have much of a right to privacy, when in fact they do. It's bad enough that security breaches occur due to sloppiness, hacking and other reasons. But if consumers are going to think that their electronic records--especially sensitive information--are fair game for hospital gossips and are potentially shareable with the media without repercussion, then the industry is moving backward. Consumers are not going to embrace EHRs. They're not going to trust them. At least paper records don't get disseminated so widely.

Plus, this kind of article--and attitude--coming from a national newspaper could put a crimp into the Meaningful Use program. One of the biggest priorities of Stages 2 and 3 of the program is patient engagement. Providers are supposed to be moving to more of a partnership with patients and their electronic medical records. How will the industry ever sell patient engagement with such misinformation being published? If the Post can't get it right, how will an individual consumer?

Perhaps coincidentally, the Centers for Medicare & Medicaid Services this week released additional guidance to consumers in eight different languages explaining their health privacy rights.

I hope CMS also sends this guidance directly to the Post. Sounds like there's a greater need for education all around. - Marla (@MarlaHirsch)