Friday, February 18, 2011

EHR as Molestation Candidate Selector: What was this Resident looking for in the EHR before "examining" female patients?

As I was the Director of Clinical Informatics/CMIO (Chief Medical Informatics Officer) at Christiana Care Health System in Delaware back in the mid to late 1990's, and was the physician-architect of their EHR systems then, I find this story particularly disturbing:

First-Year Resident Accused Of Fondling 6 Patients, Feb. 18, 2011

Warrants Issued, Police Searching For Suspect

NEWARK, Del. - Delaware State Police are trying to find a former first-year resident at Christiana Hospital who they have identified as a suspect in alleged sexual contact with six patients.

According to state police, [the former Medical Resident] has been charged with six counts each of third-degree unlawful sexual contact and abuse, mistreatment or neglect of a patient or resident of a facility.

... The incidents were reported between Oct. 1 and Nov. 15 at the hospital in Newark.

The female patients were between the ages of 20 and 32, police said.

Authorities interviewed victims and hospital staff, reviewed patient charts, and audited access to computer records, which led to the identification of [the Resident] as a suspect, according to state police.

... State police said investigators found [the Resident] accessed the computerized hospital records of the six victims prior to the incidents
, performed "physical exams" on the victims and failed to provide clinical documentation of the examinations in the victims' hospital charts. Scheduling records also indicated that [the Resident] was working when the incidents occurred.

... In three of the incidents, it was determined that the victims were identified as "non- teaching" patients for whom [the Resident] had no direct patient care responsibilities and had no authority to conduct physical exams or access their hospital records.

Also noted in another account of the story in the Delaware News Journal (a newspaper) is this:

... State police initially released details about three of the assaults on Nov. 12 and said at the time that they were investigating why hospital officials did not report the incidents to police until after the third assault, some two weeks after the first victim reported the incident to hospital staff.

During the subsequent police investigation, three additional women contacted state police to report similar incidents.

One could ask, then, why the Medical Resident was able to access these medical records, and why the unauthorized accesses apparently took some time to discover by "investigators" (presumably law enforcement officers), only after complaints were made.

It is also reasonable to assume this Resident did not abuse the first woman's records he found in a search. There was likely a larger series of unauthorized chart accesses as he searched the EMR system. In other words, I don't think he was peeking at an individual record, and then going in to a room to do his nasty work, one at a time. He was likely looking at a number of potential "candidates" before each incident; i.e., he was likely "trolling around" for potential victims.

It would be interesting to see the electronic "footprint" he left.

I had horrifying firsthand experience with abuse of electronic medical information in an earlier role in the public sector.

Specifically, I had observed the events in John Doe vs. the Southeastern Pennsylvania Transportation Authority (link). In this situation a gay co-worker, the SEPTA Employee Assistance Program liaison John Eakes (now deceased of AIDS) with whom I had worked extensively in the SEPTA Medical Department, was discriminated against by administration after peeks at his prescription records. His medications included those used in treating HIV-positive patients:

...[After the disclosure to SEPTA Chief Administrative Officer (and Deputy General Manager - ed.) Judith Pierce, Doe - a.k.a. Eakes] testified that he felt as though he were being treated differently. A proposal he had made for an in-house employee assistance program met with scant interest; he felt that this was because of his HIV condition. In addition, an administrator who reported to Pierce did not call on Doe to assist in the same way that he had called on Doe earlier. Doe testified that he felt as though there was less social chitchat, co-workers ate less of the baked goods he brought to the office to share, and that his work space seemed more lonely than before. He also became fearful of Pierce, who never told Doe that she knew of his illness. Doe alleges that he became depressed and requested a prescription for Zoloft, an antidepressant, from his physician. Later, another antidepressant called Elavil was added to the medications Doe was taking.

John Eakes was a good and conscientious employee and deserved none of this, in these relatively early years of HIV+ intolerance.

Therefore, when I was CMIO at Christiana Care Health System just a few years later, and as Chair of the committee on compliance with the then-new Health Insurance Portability and Accountability Act of 1996 (HIPAA), I recommended strongly that chart audits for unauthorized access be performed on a regular basis by a dedicated person or team, and rapid action taken if it occurred. (Then again, my counsel on healthcare IT was not infrequently ignored.)

Multiple accesses by a resident (trainee) to EHR records of non-teaching (private) patients should have sent up a very large and immediate cybernetic red flag.

Ding! Ding! Ding! Warning! Unauthorized accesses detected...

I am also concerned about the characteristics this former trainee was seeking in reviewing the EHR. A history of gynecological or breast disease to serve as a ploy for performing an intrusive exam? Was he looking for a psychiatric history? A history of prior sexual abuse?

While the EHR proved helpful in post hoc forensics, are we now seeing another potential abuse of EHR's for the identification of patients who may be preyed upon by the disturbed?

It would be helpful to know if there was a common medical theme regarding the patients affected in this rather shocking affair.

-- SS

Feb. 19 Addendum:

This affair reminds me of a saying that became news in the election of President Barack Obama:

"The Chickens Have Come Home To Roost" - Rev. Jeremiah Wright

Feb. 21 Addendum:

It appears that the corporate PR folks are monitoring the airwaves in planning their responses to this scandal. From the blog viewing logs:

IP Address 167.112.160.# (Christiana Care Health Services)
ISP Christiana Care Health Services
Time of Visit Feb 21 2011 9:36:32 am
Last Page View Feb 21 2011 9:42:03 am
Visit Length 5 minutes 31 seconds
Page Views 5
Referring URL
Visit Entry Page
Visit Exit Page

On the "Cisionpoint" company,, the "referring" URL that led to this post:

CisionPoint brings together - in one integrated customized dashboard - the on-demand tools you need to create, execute and evaluate superior campaigns from start to finish.

Log in to plan your campaign, connect with the media directly, monitor news coverage and analyze campaign results.

It will be interesting to see how this horrifying episode is "managed" by the corporate spin doctors.

-- SS

Feb. 21 addendum #2:

Here is a message posted by the organization:

Message from the chief operating officer

Posted today

Christiana Care is steadfast in our commitment to the safety and well-being of our patients, employees and all visitors to our campuses.

The Delaware State Police have issued a press release identifying a suspect in the case of inappropriate touching first reported late last year. The suspect is a former first year medical resident at Christiana Care.

The prompt and thorough work of our Department of Public Safety when the allegations first surfaced, and information we shared with the State Police from our robust health information technology system, was instrumental to the process. We quickly identified the medical resident as a person of interest, and took swift action to prevent any further patient contact. As a result of our preliminary investigation, he was suspended and upon further investigation dismissed from employment.

Our rapid response when the allegations were first reported revealed no systemic issues contributed to this incident. As an organization guided by learning, we are continuing a thorough review of best practices in hospital security to determine if there are any new security measures we should adopt.

[Hopefully in the intervening years since I was CMIO, they've become even more of a learning organization compared to here, here and here, where under the prior "C" level leadership they learned so much from me and made me feel so at home, I felt compelled to leave to maintain my sanity - ed.]

We remind and encourage all patients and family to always ask health care providers to identify themselves, explain why they are there to see the patient, and explain the care provided to them. All Christiana Care employees are required to prominently display their identification badges.

[One wonders if they now permit PhD holders to use that credential on the badge, not permitted when I was there - ed.]

We deeply regret the alleged incidents and our concern for the affected patients is shared throughout our health system.

Gary Ferguson
Chief Operating Officer

As I knew Mr. Ferguson in a prior role, and as he is a good person, I with some regret point out that this appears to be corporate spin control.

A truly "robust" HIT security system, in my opinion, would have flagged the perpetrator after the first victim. It might even have prevented the molestation if there was a time delay between when he, as a trainee, trolled for a victim by viewing the records of a private patient, and then saw the patient, without some medical emergency that could have justified the records breach.

Merriam-Webster dictionary

adj \rō-ˈbəst, ˈrō-(ˌ)bəst\

a : having or exhibiting strength or vigorous health
b : having or showing vigor, strength, or firmness [a robust debate] [a robust faith]
c : strongly formed or constructed : sturdy [a robust plastic]
d : capable of performing without failure under a wide range of conditions [robust software]

This "robust" system, after all, is a system critical to human life and well-being, not an inventory system of medical data.

Let an unauthorized person access, say, government intelligence files, and see how far that flies...

(Notwithstanding the Wikileaks affair, where the low-level person who accessed the diplomatic files did have authorization to access the servers, through managerial complacency.)

-- SS

Feb. 26 Addendum:

This story was picked up by the Newark Post, the local newspaper in Newark, Delaware, where Christiana Hospital is located.

Questions raised about access to hospital medical records
By Doug Rainey, Newark Post
Published: Thursday, February 24, 2011

-- SS

No comments: