Pending changes in HIPAA law will increase penalties for snooping into medical records
The Swanson family has been stalked.
At least that's how it feels to Julieann Ruggiero-Swanson, after learning that an estranged relative improperly accessed her family's medical records at least 14 times since 2007, most recently this year. It came to her attention, she said, when the relative tried to use the information against them in a legal matter.
"How does this go on for so long without her being caught?" asked Ruggiero-Swanson, a Waterford resident. "Now she knows things about my health that my own son doesn't know. That's creepy."
The case, according to a privacy rights advocacy group, illustrates a weakness in the federal patient privacy law commonly known as HIPAA - for Health Insurance Portability and Accountability Act. That weakness is being addressed in changes to the regulation that are slated to take effect later this year. The HIPAA law was enacted in 2003 to protect patient privacy as electronic medical records came into widespread use.
"This kind of snooping is not unusual, and it's hard to police," said Tena Friery, research director at the Privacy Rights Clearinghouse, recalling one high profile case of hospital workers in California who were caught selling celebrities' medical information to tabloids.
"It can be devastating for the individual. Snooping is a very aggravating, but little acted upon, breach of medical privacy."
In the Swanson case, records for Ruggiero-Swanson, her husband Brian and her 27-year-old son, also named Brian, were accessed by Brian Sr.'s estranged sister, according to documents obtained by The Day. Beverly Swanson of Waterford used privileges she had as an employee of the Neurological Group, a New London medical practice, to access Lawrence & Memorial Hospital's electronic medical records system, the documents state.
Swanson was able to tap into L&M's system and access her relatives' records, even though none of the three are patients of the Neurological Group, according to letters to Ruggiero-Swanson from L&M and the Neurological Group. Ruggiero-Swanson received the letters after requesting that both L&M and the Neurological Group perform records audits.
Now, more than two months after receiving confirmation that her family's records had been inappropriately accessed, justice, as Ruggiero-Swanson sees it, is finally being carried out. Beverly Swanson was arrested Wednesday on charges of committing a computer crime. Due to the way the HIPAA law is written, she could not be charged with a violation of that law, but computer crime laws did apply.
Swanson, 51, of 3R Miner Lane in Waterford, turned herself in to New London police on a pending warrant and was released on a written promise to appear in court. The charge against her, fifth-degree computer crime, is defined by state statutes as unauthorized access to a computer system. A Class B misdemeanor, the maximum penalty is up to six months in prison and a fine of up to $1,000.
She did not return messages requesting comment.
Dr. Lawrence Radin, head of the Neurological Group, declined to comment on any actions his practice has taken regarding Swanson's conduct. He did, however, comment on the issue of patient privacy and access to medical records that the case raises.
Policies regarding patient records and what is and isn't proper access are often emphasized at staff meetings, he said. This is the first time an incident like this has occurred, he said, and steps have been taken to ensure there is no recurrence.
"Obviously, we take it very seriously," he said. "We have a lot of discussions about this issue with the staff, and this makes a very tangible example that there are consequences" for not following the practice's policies.
"It's unfortunate," he said of the case.
In the Feb. 29 letter to Ruggiero-Swanson, Rosemary Stephenson, manager of the Neurological Group, acknowledges that Beverly Swanson violated practice policies and said that "appropriate disciplinary action" had been taken. In its March 7 letter to Ruggiero-Swanson, L&M said it has taken actions to correct the problem of inappropriate access. The letter was signed by Ryan Todd, compliance program manager for HIPAA at L&M. Todd declined to comment further. Mike O'Farrell, L&M spokesman, issued a brief statement.
"While we don't offer comment as it relates to patient privacy," O'Farrell said, "we've addressed this matter based on our internal processes and protocols."
In addition to making complaints to local and state law enforcement that ultimately led to the arrest, Ruggiero-Swanson has filed a complaint with the federal Department of Health and Human Services's Office for Civil Rights. HHS is responsible for overseeing HIPAA compliance and enforcement. The case has been assigned to an investigator, a spokesman for the HHS office in Boston said via email.
Breaches are common
On its website, Privacy Rights Clearinghouse notes that while electronic records have many advantages over paper ones, they also turn sensitive information about physical and mental health into data files that can be seen by "hundreds of strangers who work in health care, the insurance industry and a host of businesses associated with medical organizations. What's worse, your private medical information is now a valuable commodity for marketers who want to sell you something."
Friery, of Clearinghouse, said that despite assurances to the contrary, the kind of breach the Swanson case is actually common, often occurring during contentious divorce and child-custody cases.
"We do get a lot of complaints about this," she said.
Information on Clearinghouse's website also notes that individuals have no right to sue for HIPAA violations.
"All you can do is complain to the one who violates your privacy (the hospital or doctor's office) or to the HHS," it states.
Connecticut Assistant Attorney General Tom Ryan said his office has been alerted to the Swanson case and is satisfied that both L&M and the Neurological Group responded appropriately. Typically, his office only imposes penalties or brings charges of HIPAA violations when parties are uncooperative and there is a major systemic problem. One example might be a large health insurance company that, because of lax computer security, allowed a mass release of medical records of many clients.
When it comes to electronic medical records and patient privacy, Ryan said, a balance must be struck between making the system secure and making it workable in the real world of medical care.
"For patient care to go forward, providers need to have access to information," he said. "If you have too draconian of a screening system, that can interfere with medical care. Medical practices get new patients every day, and some of these could be urgent care situations" where immediate access to hospital records is essential.
The HIPAA law, Ryan also noted, makes "entities" - physicians' offices and hospitals that hold medical records - potentially liable to criminal sanctions for HIPAA violations, but not individual employees. It's up to the hospital or medical practice to establish the policies and controls that employees are required to follow, he said.
"If there's that rogue employee situation, that's outside of HIPAA," Ryan said. "That's not a HIPAA violation on the part of the employer."
Changes in the law are pending, however, that will make individual employees with access to medical records liable to criminal sanctions under HIPAA, according to Susan McAndrew, deputy director of Health Information Privacy at the HHS Office for Civil Rights.
As part of the changes, HHS will begin auditing hospitals and doctors' offices to ensure they are meeting HIPAA security and breach prevention rules, and penalties for violations are strengthened. It also will be easier for individuals to ask for reports from hospitals and doctors' offices about who has accessed their records, Friery said.
Radin, of the Neurological Group, said his practice's current records system, installed about a year ago, creates a digital fingerprint with the name of the employee each time a record is accessed.
Ruggiero-Swanson, for her part, believes both the Neurological Group and L&M should have detected that her family's records were being accessed inappropriately long before she brought it to their attention this year. Their own internal audit systems, she said, should have caused them to question why Beverly Swanson was accessing the records and put an immediate stop to it.
"Shame on them," she said. "They need much stronger quality controls enforced."