Eyes only' applies to larger organs as well

“Let's go around and introduce ourselves and explain why we're here.”

“I'm Big Tony, and I whacked a scum-sucking low-life FBI snitch.”

“Are you sorry?”

“Yeah, sorry I got caught. Should've used stronger acid.”

“No, aren't you sorry you violated the informant's right to life?”

“He was a miserable . . .”

“Who's next?”

“I'm Bernie, and I shouldn't even be here. I didn't do anything wrong.”

“Your investors lost $50 billion. Most were wiped out.”

“Invest in the stock market, and you have to accept the risk you'll lose money.”

“But Bernie, you made off with that money in a Ponzi scheme. Do you want to be paroled or not?”

“Fine. I'm sorry I made some poor investment choices. Happy?”

“I guess. Next.”

“I'm Dr. Que, and I didn't do anything wrong. I was just trying to help a patient.”

“Dr. Que, doctors don't go to prison for helping people.”

“I released some patient records to another treating hospital without a patient's release, a HIPAA violation, but I was just trying to . . .”

“You're just another low-life informant if you ask me.”

“I may have stolen money, but you're stealing people's privacy. Big Tony, I'll hold him, and you shiv him.”

“Shank him. Shiv is a noun. Shank is both a verb and a noun.”

I'm fascinated by the world of criminals: politicians, bank CEOs, hedge fund managers, etc. Recently, I contemplated a criminal act myself in the hopes of experiencing the same thrill. A woman from a university hospital called asking for the CT reports on a patient who had been transferred there the week before.

“Sure, just fax me a patient release form,” I said. She couldn't but pleaded for me to help her out. I really did want to help, but then I wondered why she hadn't gotten the reports from the actual transferring hospital? They too had refused, lacking a patient release form. I trembled with anticipation. My knees grew weak. Should I fax the records without patient consent? A shiver ran up and down my spine.

President Obama is championing conversion of all medical records to an electronic format within five years. Just one little problem-with a click of a mouse this information can be disseminated throughout the world. Privacy quickly becomes a quaint, outmoded concept. Even with stringent Health Insurance Portability and Accountability Act regulations, thousands of unauthorized private patient files have been accessed and sold.

Lawanda Jackson, a 32-year supervisor at the University of California, Los Angeles, was caught selling the medical records of the likes of Britney Spears, Farrah Fawcett, and Maria Shriver, California governor Arnold Schwarzenegger's wife, to the tabloids. UCLA had more than 1000 instances of unlawful access by 165 employees looking at the records for stars such as Tom Cruise. George Clooney was briefly hospitalized in New Jersey, and 40 staff accessed his files. Even Bill Clinton has been a victim.

All electronic records are at risk. President Obama's cell phone records were accessed by Verizon employees. State Department employees accessed the passport records of Obama, Hillary Clinton, and numerous celebrities-one as many as 365 times. Because of these incidents, privacy advocates in Congress have been lobbying for even more stringent laws than HIPAA. One proposal would require all providers to obtain signed consent from patients prior to release of any healthcare information for treatment, payment, or administration. Yikes!

In another twist, most state courts trying a malpractice case make a plaintiff give up the right to privacy in his or her pursuit of a lawsuit. However, a district court in Maryland and the state supreme court of Georgia have ruled that since HIPAA is federal law, it trumps state laws. Therefore, a patient's consent has to be obtained for such records. New York state law has been modified to require signed consent to accompany all subpoenas for medical records. Perversely, some patients who are suing have objected to the release of their own records.

So should I have released those CT reports without a consent? The proposed universal medical record does have huge advantages. Our teleradiology practice has had patients from client hospitals on cruise vacations in Hawaii and Alaska present with complex medical problems like brain tumor or pelvic tumor. Without local comparison studies, it was unclear whether these patients needed immediate acute care or could wait till they got back to the mainland. Most hospitals would not have access to these individuals' hometown studies, but we could access them quickly and confidently state that there was no significant change. Did we have safe authorization to access their previous records? A gray area maybe but one that clearly benefited the patient's timely care.

In another example, a patient went to three different hospital emergency rooms complaining of severe abdominal pain within a few hours. We covered all three hospitals and were concerned about the degree of radiation exposure this patient was getting. When this concern was shared with the ER physician, the patient initially denied those visits, but then it was revealed this patient had a history of drug abuse, drug-seeking behavior, ER shopping, and lack of insurance. This case could be problematic, since the patient may not be so agreeable about sharing records.

Overall, the number of actual HIPAA prosecutions has been limited, usually to cases of wilful abuse like that at UCLA. Most imagined risks are disproportionate to the true risks. Penalties have often been educative and remedial, with fines often waived in response to corrective action. A good faith effort to balance patient care and privacy is the best defense, and prosecutions for unintended violations in the service of emergency patient care are often waived.

So I probably could have faxed those reports. If it were an emergency, I definitely would have, but in light of recent legal rulings, it was probably best to be safe. I wouldn't want to end up being shanked with a shiv by Big Tony.