How private are your medical records?

How private are your medical records? »Play Video

PORTLAND, Ore. -- Your private medical records may not be as private as you think.

That’s because the majority of the hospitals in our area are using a records system that can expose your medical chart to snooping.

Doctor Heena Doshi has been a family practitioner for decades. But even she was surprised by what happened to her as a patient.

A medical assistant from a Providence clinic made a mistake. She called and shared ultrasound results with Doshi’s husband over the phone, but Doshi never had an ultrasound, and she wasn’t a patient of the clinic.

“If you are not the physician listed on that particular patient, you should not have the access unless that access is given,” insists Doshi.

But that’s not the case for the largest medical systems in our area, including Providence, Legacy, OHSU and Kaiser Permanente. Your medical record is open to thousands of medical professionals - doctors, nurses, medical assistants and technicians. That’s because those hospitals use a records-sharing system called EPIC.

EPIC, based in Verona, Wisconsin, is a major player at medical facilities nationwide. The company has nearly 300 customers with nearly 1.25 million patient records exchanged every month. The Problem Solvers made multiple attempts to ask EPIC about its system’s security. A company spokesman repeatedly declined comment and referred all questions to our local medical systems.

Each medical system determines who gets access with health care providers getting the most.

“It’s role-defined access,” explains Gary Walker, Providence Health & Services Regional Director for Public Affairs. “So that depending on the scope of your job, you have access to the patient’s medical records.”

For example, a doctor or nurse would have broader access than a receptionist or registrar.

“We wanted to make sure there weren’t any barriers to care,” said Walker. “When someone comes in, their list of prescriptions, their known list of allergies is there and all the information is there.  What we find is patients think that's a real positive. That when they come in the door, we already know them.”

Doshi agrees that emergency personnel need access to your medical information, especially information about allergies and current medications. But she says the rest of the medical community doesn't.

She points out that an ex-spouse or a nosey neighbor who works in the medical field could easily poke around in your records – records that you may want to keep private, like medications, pregnancy test results or plastic surgery.

And what if you’re applying for a job at the hospital where you’ve been a patient?

“People get all sorts of information,” says Doshi. “If you’re hiring, you go on Facebook first and then you hire. If (an employer) wants to go into (your) medical records first, and then decide to hire (you), what’s going to stop them?”

“Unauthorized access is something we take very seriously,” says Walker, “and there are a variety of corrective actions that we have in place for that up to and including losing your job.”

But Doshi says medical systems need to put up more barriers to protect patients' privacy.

“Having access to records is easy,” says Doshi, “but making my life completely an open book is not what I’m looking for (as a patient).”

What’s the policy at your local hospital?

According to Gary Walker, Regional Director for Public Affairs, Providence finished rolling out EPIC at all its Oregon hospitals and clinics in 2013. It takes the following precautions:

  • Access is granted to employees based on their specific job role. Health care providers have the broadest access to patient records. Health care providers can access a patient chart, even if he/she is not their patient.
  • All Providence employees are required to take yearly privacy training.
  • The compliance department conducts complaint-driven audits and is beginning to perform random audits to verify that access is appropriate. 
  • In Oregon, the compliance department looks into about 200 inquiries every year regarding a wide range of patient privacy violations, questions and issues. Providence will not verify whether any employees were dismissed last year due to privacy violations.

According to Brian Terrett, Director of Public and Community Relations, Legacy Health has been using the EPIC system since 2009. It takes the following precautions:

  • The health system tracks every click into every patient chart. The compliance department conducts an investigation if someone believes that his/her record has been accessed inappropriately. Security also runs random audits of patient charts to verify that each has been accessed by only appropriate personnel.
  • All Legacy employees undergo privacy training.
  • If a Legacy employee has accessed a patient’s medical record without a valid reason, the employee is issued a final, written warning.
  • If a Legacy employee has accessed a patient’s medical record without a valid reason and then shares that information, the employee is immediately terminated.
  • The compliance department conducts about 100 to 120 investigations per year.  An undisclosed number of employees, including doctors, have been fired for snooping.

According to Mirabai Vogt, a media specialist, OHSU has been using EPIC since 2005. It takes the following precautions:

  • Access is tiered based on job type, allowing employees the “minimum necessary information” required to do their jobs.
  • Health care providers can access records of people who are not their patients. OHSU contends that it is important for providers to be able to quickly access a patient’s record for treatment purposes without a lot of administrative hurdles. Additionally, it is important that a provider has expeditious access in an emergency situation.
  • OHSU trains all its employees on the appropriateness of accessing patient information.  Violating OHSU policies can result in sanctions, including revocation of access privileges, written warnings and formal retraining, or termination.
  • The compliance department periodically accesses EPIC logs if there are potential issues, such as unusual usage patterns, complaints from patients or reports of concern from employees. Compliance officers conduct an undisclosed number of investigations each year, some resulting in terminations.

According to Maryann Schwab, Regional Compliance and Security Officer, Kaiser Permanente has been using EPIC at a hospital level for the last five years. It takes the following precautions:

  • The compliance department tracks every time a record is accessed or edited.
  • Access to patient records is based on employees’ job roles.
  • New employees undergo two privacy training sessions; all employees take refresher privacy training yearly.  Every employee signs a confidentiality agreement.
  • The compliance department conducts both complaint-driven and random audits to check for inappropriate access.
  • The compliance department conducts about 500 investigations per year. Last year, 15 employees were terminated for accessing patient records without a valid reason.