Our electronic medical records are supposed to be protected by layers of security, and violators who breach the security are to receive stiff punishments. But a Bennington woman -- after her e-medical records were illegally accessed more than 100 times over a 12-year period -- says privacy policies provide a false sense of security and penalties to deter breaches need to be much stronger.
Despite a HIPAA (Health Insurance Portability and Accountability Act) investigation by the federal Office of Civil Rights that substantiated the unauthorized access of the woman’s records at Southwestern Vermont Medical Center, despite a review by the Licensing and Protection Division of the Vermont Agency of Human Services that found the hospital had failed to meet three key standards for medical records privacy and security, despite calls to the FBI, contact with key legislators, and an investigation by the Bennington Police Department, the violator, Kathy Tatro, 54, of Bennington, was given a suspended sentence, fined $2,000, and made to perform 160 hours of community service in return for pleading guilty to four misdemeanor counts of unauthorized access of computer records. She continues to work in a hospital – although not the one where she spied on others’ records – and the hospital where the breaches occurred faced no reported sanction; it was only told it had to take corrective action so patients’ medical information was better protected.
(Read the Rutland Herald and Bennington Banner stories on the sentencing.)
To the victim, the penalty was just a slap on the wrist. The whole experience has “left me feeling extremely violated,” she told Judge Cortland Corsones at Tatro’s sentencing hearing last week in Vermont Superior Court in Bennington.
This is believed to be the most extensive breach of personal electronic medical records ever reported in Vermont. In addition to tapping into the victim’s records 106 times, it also involved tapping the victim’s children’s records 94 times. The number of breaches, the length of time over which they occurred, and the inaction of hospital officials in promptly investigating suspicious records access patterns are beyond any scenario sketched by state health officials when describing the risks posed by storing patients’ medical information on electronic databases.
“What I’ve been through, nobody should go through,” the victim said in court. “What is the sense of having a HIPAA law if it’s not enforced? I’m angry at the hospital for not protecting me, for giving me a false sense of security that my privacy was protected.”
Many e-medical records also contain what’s called “demographic data.” This includes a person’s date of birth and Social Security number. So not only is someone’s medical history revealed once e-medical records are accessed, but so is information that can be used to assume the victim’s identity.
(Tatro was in fact originally charged with identity theft, a felony, but the charge was dropped after no evidence could be found that she had actually used the personal ID information she had obtained to impersonate the victim.)
Asked by the judge why she had looked at the records, Tatro answered, “Morbid curiosity.” She did so with no malice and no thought of personal gain, she said. Tatro is married to the victim’s ex-husband.
In announcing the sentence, Judge Corsones said Tatro’s crimes were “not crimes of violence, but they have had an effect on the victim.”
One effect, the victim explained in court, was how the system let her down. No investigation was begun nor any remedial action taken until she spoke up, complained, and dogged doctors, hospital administrators and trustees, state officials, federal officials, police officers, and the state’s attorney to do something. The privacy protections in place don’t work on their own; you have to fight to protect your rights.
“I’ve exhausted all remedies. Justice needs to be done,” she told the court.
In addition to her suspended sentence and fine, Tatro must write a letter of apology to the victim and speak to health care workers about the importance of medical records privacy. She’ll be on probation for two years as well.
But the penalties don’t add up to the punishment needed to deter others from doing what Tatro did, the victim said. “What I’ve been through is not fair.” She said she was not on a "personal vendetta"; she just wanted to make sure what happened to her doesn't happen to others.