Pub(l)ic versus private data in the hospital

Sexting has its costs – and we're not talking about New York politics either.

Huntington Memorial Hospital in California was fined $25,000 after an admissions clerk took a patient's mobile phone number and sent her a sex-based text message. And, it was not just one message to a single patient either. During the investigation, the clerk admitted to having sent up to ten such messages to attractive patients over one year.

The hospital told investigators that the clerk used hospital data “inappropriately” as phone numbers were not part of the clerk's normal business, but that the employee did have legitimate access to patient demographics, contact numbers, insurance and social security numbers. This did not sit well with investigators as their official report found that facility had failed to prevent the unlawful access and use of a patient's medical information.

It seems that the hospital did not limit the clerk's access to patient data and records -- as can readily be done with a DLP/monitoring solution such as Safetica.

California (regulatory) dreaming
Yes, this could only happen in California – at the moment. In addition to producing more fruits and nuts than any other state, California is a leading regulatory state. Californian regulations on automobile emissions, as just one example, have been copied across the United States.

In addition to HIPPA, California has Section 1280.15 of the Health and Safety Code.
This enables the California Department of Public Health to assess an a penalty of up to $25,000 per patient whose medical information was unlawfully accessed or used.

The penalty effectively answers the question: What is the cost of misused data to the responsible institution? The Huntington hospital now knows. And, other institutions have been fined ten times as much – $250,000.

Lots more warnings and training sessions in the future
The solution – at least according to the State of California – is a review of computer systems, more training to remind employees that patient data is sacred, and incessant reminders to employees that that use of their private mobile phones in the wrong area is cause for firing.

On one hand, it makes me wonder how much the costs for data misuse and the bureaucratic responses contribute to the cost of medical care in the United States. And on the other hand, the California law makes it very clear that insecure data handling has a price.