Monday, April 07, 2008

Yet another data point:

The LA times has had a number of stories lately about breaches of medical record confidentiality at UCLA. In my opinion, one of the key events in this series of events is buried in the middle of one of these LA Times stories.

After breaches of Brittany Spear's medical records became public knowledge, state officials apparently directly asked if there were other such breaches.

Before state officials conducted their own investigation, UCLA's chief compliance and privacy officer Carole A. Klove (who really should have known what breaches of privacy had occurred) was asked if there were other breaches of privacy. Ms. Klove denied knowing about any. The state then initiated it's own investigation.

The state's investigation is ongoing, but, at this point, it is known that at least 61 patients have had their records improperly accessed.

Here's an understated quote on this topic apprently from Kimberly Belshé, Secretary of California Health and Human Services Agency, as reported in the LA Times:

"UCLA assured us -- the state -- that the initial breach [of Spears' records] was an anomaly," Belshé said. "And we have since learned that, simply put, it is not anomalous."

Got that? It appears that the Secretary of California's Health and Human Services Agency is saying that she was unable to obtain accurate information from UCLA officials under direct questioning. If you, O Reader, are planning to interact with UCLA or UC officials as a patient, employee, contractor, student, supplier, or other, what makes you think you'll have better luck?

Addendum 11/08: based on this story, it appears that the state, now led by a celebrity governor who may have a personal interest in confidentiality at California health institutions, partially investigated this matter. A review of records only from the Resnick Neuropsychiatric Hospital at UCLA from between January 2004 and June 2006 indicated that there were over 1,000 patients whose privacy was violated by at least 165 different UCLA personnel.

First: Wow. Over 1000 patients violated only between Jan 2004 and June 2006 at only one UCLA facility. 165 UCLA personell. Violation of patient confidentiality is obviously pretty widespread.

Second: What is the purpose of having a chief compliance and privacy officer who not only didn't stop these violations of patient privacy, but assured the state (prior to the investigation) that such violations of privacy were "an anomaly?" It appears that the purpose of that position is not to actually ensure compliance and privacy, but to simply exist, so that UCLA can claim a commitment to compliance and privacy based on the fact that they have such an officer. I'm still trying to figure out if this is better or worse than the alleged practice that emerged during discovery over the lawsuits over the Neuchterlin-Gitlin experiments, when UCLA allegedly certified the existence of a federally required research compliance officer who didn't actually exist.

05/16/09
I haven't seen any mention of fines applied to UCLA over this matter. Compare that outcome to the outcome of this story in which only one patient's records were violated, no records were known to have been sold, the hospital involved (Kaiser) found out through an investigation done on it's own initiative, and the hospital involved punished its staff members without State intervention. Kaiser was fined $250,000. The disparity in apparent outcomes is simply stunning.