Sex, lies, and the electronic patient record create HIMSS nightmare

Pity poor Grits Healthcare System. Under tough interrogation by crack litigator Alan Goldberg, a top executive of the healthcare provider admits under oath responsibility for a breach in confidentiality that, according to the plaintiff, destroyed a young woman's personal life.

Fortunately for the executive, the incident never really occurred nor could it. Grits Healthcare does not exist. For that matter, neither do the principals in the trial.

The drama that brought this fictitious healthcare provider to heel played out in a mock trial at the February annual HIMSS meeting designed to dramatize the dangers of the increasingly wired world of medicine.

At issue was the release of confidential information regarding the fictional plaintiff, Jane Doe, whose sister-in-law, while working for Grits Healthcare, came across the results from a pregnancy test done on Jane a year earlier. The sister-in-law, shocked that Jane needed such a test (since Jane's husband had undergone a vasectomy five years earlier), duly reported the test to Jane's husband, who filed for divorce soon after.

In his opening remarks, Goldberg claimed his client's life-her entire existence-had been "unfortunately and horribly damaged forever" by the actions of this "miserable excuse for an information services professional." He also claimed that Grits did not have a formal or consistent policy in place to sanction employees who breached patient confidentiality.

"This defendant and his staff knew what needed to be done to protect my client's information, yet they did not do it," he said.

While the soap opera trappings of illicit sex and deceit added sizzle to the proceedings, they were not essential. The inappropriate transfer of any clinical data-a medical image indicating cancer, a coronary calcium measurement indicating risk for heart attack, a DNA-based test showing a predisposition to genetic disease-to the wrong hands could lead to denial of employment or insurance coverage or, at the very least, unnecessary personal suffering.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), which directly addressed the issue of security regarding medical data. This law establishes the mechanism by which companies and their staffs can be sued for violating the security, confidentiality, and privacy of a patient's medical records. HIPAA was the cornerstone of the plaintiff's case, as demonstrated by Goldberg's questioning of the Grits Healthcare executive.

"Had you protected the confidentiality, privacy, and security in accordance with the Act, had you imposed the procedures, had you limited information to minimally necessary (staff), had you had software and hardware solutions, would this circumstance have occurred?" he asked the defendant.

Chagrined, the defendant admitted that if Grits had done everything that HIPAA requires, this probably would not have occurred. Goldberg then rested his case, asking for a verdict in favor of the plaintiff, considering the admission by the defendant that there existed "sufficient data, material, procedures, and inspiration following the 1996 enactment of HIPAA" to have avoided the entire incident.

In the closing moments of the ersatz trial, Grits Healthcare and its employees caught a break. Rather than a jury drawn randomly from the public, the final decision regarding liability was put to an audience of healthcare information professionals attending the HIMSS meeting. No one can know whether they took to heart the judge's instructions to find the defendant liable if "he failed to take such action as a reasonable information security professional would have taken under the same circumstances to protect privacy, confidentiality, and security." But it seems likely that those in judgment (a jury not of his peers but of his compatriots) empathized with the defendant, because when the voice vote was called, the defendant was found "not liable"-by a two to one majority.

2/28/01, Issue # 1504, page 2.