I hate to call anyone stupid, but reading stories like Hospital Reports a Possible Data Loss really steams my Chinese dumplings. According to the post, a doctor who works at two facilities, including the famous Harvard’s Brigham and Women’s hospital (of NOVA fame) walked out carrying a hard drive with over 600 patients’ personal, private medical records and then “lost” it on a trip to Mexico. How could anyone commit or sanction such a risky action as walking out of a medical facility while hand-carrying an unprotected copy of so many people’s medical records in electronic form?! And you gotta love that the records ended up in freakin’ Mexico of all places. Whoever the legendary doctor was — who remains nameless — couldn’t have done a better job, short of sending the records to Al-Qaeda. Can you imagine?! Ugh…
You know what the answer to this is? It’s quite simple — don’t store records on removable hardware. With the Cloud in place, I dream of the day when it’s mandated by law that health records cannot be stored on portable hardware. We have so many brilliant companies using the latest SaaS technology that I really scratch my head wondering why this isn’t the default choice for all EMR and EHR systems. There is little reason that the above disaster should still be allowed to happen in 2011.
Rather interestingly, and yet again, this is another example of data theft of patient records that was NOT electronic theft. No usernames and passwords were hacked to get at the information. It’s was just a plain, simple (at least as far as anyone knows) dumb-luck loss. Another shining and yet pitiful example of why I believe that records are far safer on the web and in the Cloud than in someone’s portable hard drive or laptop. Do we really need to start anti-theft pad-locking and chaining hardware in place at medical facilities?
On another note, I’d love to have been the fly on the wall when the doctor was asked what happened that encouraged him or her to walk out with it. Just how common is it?
Dr. West is an endocrinologist in private practice in Washington, DC. He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC, as a solo practice in 2009. He can be reached at doctorwestindc@gmail.com.
On the surface I agree with you, but your post has so many assumptions and knee-jerk conclusions that it’s difficult to take your response at face value.
“How could anyone commit or sanction such a risky action…” The same way doctors walk out of hospitals with paper charts every single day. It’s not supposed to happen, but it does. In the real world, people are overworked and need to take work home with them to ensure it is completed appropriately. I’m not justifying the behavior, but it’s not unique to EMRs. The only thing that will improve the situation is creating systems — both electronic and policy — that enable clinicians to do high-quality work while they’re in-house.
“With the Cloud in place…” With the cloud in place, we’ll still be inundated with mediocre systems that do not allow us to access the data/information we need, when we need it, in a way that is conducive to productivity and efficacy.
“I dream of the day when it’s mandated by law that health records cannot be stored on portable hardware.” All the laws in the world will not prevent people from doing what this doctor did. By your rationale, HIPAA should have prevented this event from occurring. It didn’t, though. This was simply an individual who made a poor decision, and no law will prevent that from happening.
This story highlights a security mindset that is based on preventing unlikely “perfect storm” events. Based on the article, the data on the drive was most likely erased, but even if it wasn’t, chances are incredibly small that the data fell into the hands of someone with the means and motivation to use it for anything more nefarious than copying a bootlegged version of Captain America. People who actively attempt to break into medical databases are a much larger and more realistic threat.
To reiterate, I’m not excusing this person’s behavior. To point fingers and call this person “stupid” without understanding the whole situation, however, is short-sighted, and shifts the focus from the larger systemic failures that should be addressed.
Hi Chuck. My post is more of an editorial commentary on a story I found quite interesting. It’s not meant to be politically-correct and I’m not worried about calling something “stupid” if that captures the sentiment and feeling more so than another word one might prefer.
Sure, doctors walk out of hospitals every day with charts to finish dictating at home, but that’s not really what my post was about. Sure, no Cloud system will be perfect, and no law will prevent humans from being humans.
It’s good to know that you think the data on their drive was unlikely to be important, and it’s almost certain that for litigation purposes the hospital spokesperson is trying to reassure the patients similarly.
As for your last consideration, I’m really not here to solve systemic failures. Just enjoying the blogging process and thinking about current EMR-related stories in my spare time. Easier to stay happy that way 🙂