wtf: At Least 50 Northwestern Hospital Employees Fired for Accessing Smollett’s Profile, Records

[Koo]

Why wtf? Each of those accesses could have had a fine up to $50,000 undet HIPAA rules.

Click to shrink...

It's very unlikely each fine would go that high especially if it was just morbid curiosity that was the extent of the violation. Now if as people in this thread are implying; some of these ex-employees had intent to distribute this information to TMZ or other news organizations the fines can be HIGHER than $50k and also carry jail time.

Also this termination would not absolve these individuals from facing fines, or the hospital should their training or chart system be deemed inadequate to warn a user they could be violating HIPAA should they access charts for patients who are not assigned to them.

One thing that is I guess may be being misinterpreted here; HIPAA violations do not require termination of employment nor suspension of license. The termination in this instance just seems to be this particular hospital's policy regarding any HIPAA violation.

I personally think it is rather harsh for first time offenders to be fired for HIPAA violations for only viewing an unrelated patient's chart. Understandably done if there was proof their was intent to distribute. Maybe the hospital feared this was the case; but if so they should do this for every HIPAA infraction that is similar to this, not just a high profile case like Smollet.

In any case this is really going to affect quality of care to lose 50 professionals when a suspension may have been more appropriate. Have to wonder about the time/costs the hospital is going to rack up anyway by hiring/training more people and how they plan to handle patient care in the interim.

 

[GaimeGuy]

HIPAA is the Export Controls of the health care sector. Don't fuck around with it.

 

[Skies]

I'm a nurse and it has always blown my mind how some nurses don't take HIPAA seriously.

For example, I have seen employees checking up on patients they previously have taken care of through accessing their medical chart. That is a HIPAA violation, yet everyone basically shrugs it off. I understand the want (you develop an emotional bound with these patients), but it still shouldn't be done.

 

[hockeypuck]

Northwestern uses Epic for its electronic medical records. For famous patients, hospital IT can implement an UI obstacle ("break the glass"), which requires typing in the user's password a second time, as well as selecting a reason for accessing the medical chart. It really does hinder impetuous curiosity. With 50 fired, doesn't seem like this gating mechanism was used (in time).

 

[TheYanger]

Yep. That is not a law to fuck around with, despite how angry it makes people's family members or assistants or whoever else I get to deal with on a daily basis.

 

[GrizzleBoy]

Huh?

So you're saying you can't just open up celebrities health records and violate your patient protection oath and breach data protection laws?

Huh, weird.

Why can't you do that?

 

[Skies]

Northwestern uses Epic for its electronic medical records. For famous patients, hospital IT can implement an obstacle ("break the glass"), which requires typing in the user's password a second time, as well as selecting a reason for accessing the medical chart. It really does hinder impetuous curiosity. With 50 fired, doesn't seem like this gating mechanism was used.

Click to shrink...

I was just discussing this with a colleague. We use Epic as well.

We also assumed they didn't use the "break the glass" on his chart. Surely 50 people didn't bypass the gate. I'm not sure of the logistics on that side of the fence, but is the hospital at risk of legal ramifications for not implementing the extra security measure?

 

[Bob Beat]

Morbid curiosity isn't an excuse for stupidity when you should know better... and if you didn't know better you shouldn't have been in the job in the first place

Click to shrink...

So 'Susan' is suggesting she just searched for his name and didn't actually do anything, like clicking into his chart? I'm suspicious. Like, how would they separate the people who looked for his first few letters and people who put his full name in the search box?

Maybe Susan isn't saying how far her curiosity took her?

Some of the programs make you put your password in after you search, to access the chart. It takes direct action to get thru, even a place where you give your reason to access it.

 

[Kittens McMittens]

This happens in a lot of professional settings. If you work for the Department for Work and Pensions in the UK, every time you access the Customer Information System there's always a chance you can get hit with a 'test check', which is a bit of paperwork you have to write up explaining why you accessed that record. If you can't justify your access, you can get immediately suspended pending dismissal.

The DWP CIS is a regular target for private investigators and journalists trying to get information about people, and just about everyone in the UK is on it - you get added as soon as your parent starts claiming Child Benefit, and you stay on it for the rest of your life. DWP security is pretty hardcore when it comes to accessing that database, and everyone who uses it knows exactly what is and isn't allowed.

It's great that they take this stuff seriously, but shouldn't the access to these records be way more strict to prevent this from happening in the first place?

It's crazy to me that dozens of employees could simply pull up a celebrities private medical records out of "curiosity." Like even when I try to do a simple price match at Best Buy it requires a manager to come over and authorize it. I would expect hospitals to be way more secure.

Click to shrink...

From a business perspective, it can be very difficult to know in advance who needs what information and to design the system in such a way with the right kind of access controls.

In the OP it said a surgical nurse was fired. It's entirely reasonable to think someone in that position might need full access to a patient's medical records. In these kinds of settings, you just have to rely on employee's professionalism. They need to understand that they have to act professionally at all times, especially with respect to patient or customer data, and that if they don't they face dismissal or potential prosecution.

 

[aisback]

Good , they deserve to be fired for this as it's gross misconduct.

 

[Dinskugga]

It's great that they take this stuff seriously, but shouldn't the access to these records be way more strict to prevent this from happening in the first place?

Click to shrink...

Its safe. I do not know how its works over there. But here in Sweden we log in with SIS cards and passwords. And everything we do is saved in logs. And if i work on Medical unit 5 i can only access those who are there. And sometimes im forbidden to access patients im not having. And im forbidden to look into my own journal even.

i can search on every patient that are in the hospital. But doing so would trigger the system and i would be fired

 

[Dreams-Visions]

that hospital is on point.

but boy that is a lot of people who should otherwise know much better than this...fucking up.

 

[Deleted member 9838]

Good, mind your fucking business you nosey scumbags.

 

[GarthLordOfTheSith]

Why would you do this if it could lose you your job? Morons.

 

[Grimm Fandango]

I used to work at a retail pharmacy. After Prince died, there were several popups after logging in that warned you of HIPAA violations and consequences. You are easily tracked so don't do it.

 

[ProfessorLobo]

It's' not stupid. Legal action can be taken against the hospital. Training another 50 employees is nothing compared to millions in damages.

Click to shrink...

It's stupid because this could be easily solved with one programmer and a simple privileges/rights system. If this is really such a serious issue basic security should be there.

 

[Terminus]

Certainly justified, but my god does that hosptal's HR department have its work cut out for it. Suddenly facing the prospect of recruiting and training 50 professionals as quickly as possible sounds like a nightmare. I definitely wouldn't willingly go to that hospital for a good long while.

It's stupid because this could be easily solved with one programmer and a simple privileges/rights system. If this is really such a serious issue basic security should be there.

Click to shrink...

I imagine from a patient care perspective it's better to err on the side of allowing access in order to avoid cases where a system error prevents authorized use and that holds up critical care. Better to let everyone in and sort out who shouldn't have seen what after the fact with severe penalties. But I could be totally off base.

 

[TheYanger]

It's stupid because this could be easily solved with one programmer and a simple privileges/rights system. If this is really such a serious issue basic security should be there.

Click to shrink...

It's a hospital. Anyone COULD need access.

 

[ProfessorLobo]

It's a hospital. Anyone COULD need access.

Click to shrink...

Then get an administrator to give it to them. I can't even change different source code files without going up the chain.

 

[EDebs1916]

Certainly justified, but my god does that hosptal's HR department have its work cut out for it. Suddenly facing the prospect of recruiting and training 50 professionals as quickly as possible sounds like a nightmare. I definitely wouldn't willingly go to that hospital for a good long while.

Click to shrink...

Northwestern is a massive hospital that is ranked #1 in Chicago and IL and like 10th nationally. It's also the highest paying hospital in the area for most jobs so I don't think they'll have any issues filling those slots.

 

[Stone Cold]

Can you imagine surviving that grind that spits so many people out, becoming a nurse, having HIPAA law driven into you practically every day in school, only to throw it all away for "morbid curiosity". So, so dumb

 

[Zelas]

It's stupid because this could be easily solved with one programmer and a simple privileges/rights system. If this is really such a serious issue basic security should be there.

Click to shrink...

Yeah seems kind of ridiculous that there is no real protection to prevent a rogue employee from putting thousands of records out there.

 

[gaugebozo]

My mother-in-law was fired for a HIPPA violation because she looked up the record of her brother after he was in a motorcycle crash. They're serious business.

 

[Biggersmaller]

I guarantee some of the employees that searched his data were doctors. I bet good money none of them will be fired.

 

[Pretendo Switch]

I just hate how hospitals pick and choose when they enforce HIPPA rules. This only happened because a celebrity was involved. I work in hospitals across multiple states, and if I had a dime for every time I heard nurses and or doctors discussing cases (including names and other details) in hallways and elevators, my $15.00 hospital cafeteria lunch would be paid for monthly. It's very out of control in some cases.

 

[MinusTydus]

One of those employees - identified simply as Susan, to protect her identity - said that with one click of her mouse, she was fired from her job as a surgical nurse last week.

Click to shrink...

Oh, so Susan doesn't want her personal information to be disclosed, but sees no issue in accessing the personal information of someone else.

Get fucked, Susan. Hope you get sued.

 

[RoKKeR]

As someone who works with hospital data on a daily basis this is straight up the dumbest thing you could do as a healthcare employee. They all deserve to get canned, honestly, HIPAA isn't a joke.

 

[SlothmanAllen]

Man, 50 employees? Wouldn't they have a staffing shortage?

 

[Possum Armada]

Sounds like the privacy laws is working as intended. Now imagine if we had this kind of privacy protection online, from banks, etc

 

[Strafer]

Good to know that there are 50 doctors out there that doesnt care about their patients privacy.

 

[Zellia]

50 employees? That's nuts.

Had a job at a bank's call centre once and one of the young lads in our starter group got fired for accessing a relative's banking details, which was explicitly pointed out to be gross misconduct and a sackable offence when we were being trained.

Moral of the story: Don't fuck around with private data you don't need to access. It was made clear at that job and in my current job too. I don't even work in healthcare and never have, data protection is just a major thing that needs to be taken seriously.

 

[Dandy]

A friend of mine's son did something like this, except he was working for the RCMP in IT, and on his first day he looked up one of his friend's criminal record. Fired immediately.

 

[Heraldic]

Why not just earmark such a prolific file thereby blocking access to it in a foresighted effort to curb against human curiosity and you now retain fifty employees instead of losing them?

 

[Sweeney Swift]

Why wtf? Each of those accesses could have had a fine up to $50,000 undet HIPAA rules.

Click to shrink...

wtf because HIPAA is a well-known thing even by the general public, let alone people employed at hospitals, and it's baffling this many people in one location acted like idiots in a way that knowingly risked their employment and career. They all 100% deserved to be fired and should never be working anywhere near a hospital again

 

[MinusTydus]

Why not just earmark such a prolific file thereby blocking access to it in a foresighted effort to curb against human curiosity and you now retain fifty employees instead of losing them?

Click to shrink...

Why exactly would you want to retain 50 employees who are willing to break actual laws in order to receive personal financial gain?

Fuck 'em.

 

[whatsinaname]

wtf because HIPAA is a well-known thing even by the general public, let alone people employed at hospitals, and it's baffling this many people in one location acted like idiots in a way that knowingly risked their employment and career. They all 100% deserved to be fired and should never be working anywhere near a hospital again

Click to shrink...

Ah, ok. I thought your wtf was directed at the firing and not the morons who accessed the data.

 

[KhadD]

Then get an administrator to give it to them. I can't even change different source code files without going up the chain.

Click to shrink...

How would that work for emergencies?

 

[Daniel Westlake]

It's great that they take this stuff seriously, but shouldn't the access to these records be way more strict to prevent this from happening in the first place?

It's crazy to me that dozens of employees could simply pull up a celebrities private medical records out of "curiosity." Like even when I try to do a simple price match at Best Buy it requires a manager to come over and authorize it. I would expect hospitals to be way more secure.

Click to shrink...

Assignments change, individuals get shifted to different departments, people get called upon at short notice, etc. You need relevant employees to have fairly easy access to information at short notice, folks like these should know better.

 

[transience]

This isn't surprising at all. I work for a health system of a pretty big college basketball team. I remember players getting hurt and 100+ people looking at their records.

 

[Daniel Westlake]

Why not just earmark such a prolific file thereby blocking access to it in a foresighted effort to curb against human curiosity and you now retain fifty employees instead of losing them?

Click to shrink...

Nah HIPPA is some shit that gets beaten into you, they should've known better than to try and pop up a celebs files, they don't deserve extra chances just for existing.

 

[AtomLung]

Ha, sucks for their HR team though

 

[Dennis8K]

Deserved. The rules are very clear.

 

[Pai Pai Master]

50 idiots

 

[Deleted member 176]

doesn't seem like much of a wtf, it's harsh but it's not really something you could do accidentally.

 

[metalslimer]

How do you think TMZ gets their medical information? I cant even believe how stupid you have to be to just go searching for those records

 

[Culex]

We have a similar policy at the bank I work for. If I even pull up my own banking profile or family member without them being in my office, instant termination

 

[Gwarm]

Then get an administrator to give it to them. I can't even change different source code files without going up the chain.

Click to shrink...

That will never fly in healthcare. Anything perceived as a patient safety issue will be dismissed. Unfortunately, a patient won't hold off on dying for us to sort out our access issues.

I'm in support of systems like Epic's "break the glass" because it requires additional input and justification for accessing the chart. Anyone who bypassed that system knew exactly what they were doing.

 

[Stinkles]

Susan found out life comes at you Suddenly.

 

[Deleted member 3058]

TMZ and the Chicago PD lost their easy warrant-free (in the case of CPD) sources.

 

[ImperatorPat]

It's great that they take this stuff seriously, but shouldn't the access to these records be way more strict to prevent this from happening in the first place?

It's crazy to me that dozens of employees could simply pull up a celebrities private medical records out of "curiosity." Like even when I try to do a simple price match at Best Buy it requires a manager to come over and authorize it. I would expect hospitals to be way more secure.

Click to shrink...

I was thinking the same but realized what happens if Jussie or any person were to come into that hospital and need immediate medical treatment, his records need to be available without bureaucratic red tape to allow the nurses and doctor to see the medical history.

I think this same kind of security is used by the IRS and NSA. Open access to data but everything is logged and people get fired for looking at something they can't justify in retrospect.