Saturday, May 31, 2014

UCSD gives consent for sharing medical records without patient approval

I got an interesting letter from UCSD three days ago. It told me that I had consented to share my electronic medical records.

The trouble is--I had NOT given my consent. I never signed a consent form. I never clicked a box on the Internet agreeing to share my records.

And the letter from UCSD did NOT arrive in my home mailbox or even in my email. It was purely by chance that I found it on MyUCSDChart—NOT among the MyChart emails. If it had been among the MyChart emails, I would have received an alert about it in my regular email.

UCSD was definitely NOT trying to make sure that I found out about my “consent”.

Today, each time I have clicked on the link about sharing electronic medical records on MyUCSDChart, I found myself unceremoniously thrown back to the sign-in page. Automatically signed out. They really don't like it when I click on the link!

UCSD seems to be remarkably fond of both signing me in and signing me out--without my involvement--whenever it feels like it.

I found this page on the UCSD site about sharing electronic records. It seems that I am now part of two databases: The San Diego Beacon Health Information Exchange, and something called Care Everywhere.

It's not that I want to keep my records secret. In fact, I think sharing electronic records is basically a good idea. It's just that I've had problems with health providers hiding my own test results from me, so I'm sensitive about doctors violating the law regarding medical records.

Apparently the VA is also part of this system, but the VA has a more transparent consent process.

I've heard of falsified medical records, but this is the first time I heard of a falsified consent for release of medical records.

I found some interesting stuff about UCSD's informed consent process for patients in research projects:

iDASH Integrating Data for Analysis, Anonymization and SHaring

Informed Consent

Paper Consent versus Electronic Consent

Traditionally, paper-based consent has been the medium through which researchers and physicians conducted the informed consent process. The paper-based process consists of giving a hard copy consent form to a patient for him or her to review. Then a care provider answers any questions from the patient and in some cases assists the patient in reviewing the paper consent forms. The issues surrounding this procedure are that the paper-based consent form tends to be long and monotonous, and the retrieval of paper forms are often time consuming.

The new electronic consent forms use tablets or computers as the medium for communicating information and seeking consent from the patient...The iDASH team is also currently working on two systems, iCONS and iCONCUR, which are intended for such open source use in the future.

iDASH electronic informed consent management system

iCONS is a system currently being tested in a clinical trials environment at Moores Cancer Center Biorepository. The system supports informed consent electronically by enhancing the consent process for patients and researchers by acting as a consent broker and by adding multimedia aspects to the process. This consent process is opt-in, meaning no patient information is shared with researchers until the patient specifies what specific information he or she would like to share with researchers. The iCONS system creates a permission ontology to model the consent choices of the patient to assist in the process of releasing data and specimens to researchers for their consented uses.

iCONCUR is a pilot study within the University of California - San Diego Health System. This system transforms the sharing of electronic records from the opt-out system that is currently in place, meaning a patient’s record is automatically entered into the system unless the patient specifically requests to have their records taken out, to an opt-in system. The tool presents the patient with a taxonomy of his or her medical record allowing the patient to dictate what parts of the medical record to share and with whom it may be shared with.


Tufts Medical Center sued for faxing patient records without consent
July 15, 2011
By Karen Cheung-Larivee

Tufts Medical Center in Boston faces a lawsuit after a patient said the hospital faxed her medical records to her workplace without her consent, causing her embarrassment, reports The Boston Globe yesterday.

"I feel like I might have walked in (the office) naked," said patient Kimberly White.

White requested Tufts to send a form for a disability claim, but instead the hospital allegedly sent four pages of medical records about her hysterectomy to a shared fax machine at her workplace.

White filed a complaint in Plymouth County Superior Court. The hospital denies any wrongdoing, according to the article.

Tufts spokeswoman Julie Jette said, "In this matter, we complied with a patient's request to share information. We firmly believe we responded to the patient's request appropriately."

"I can't go back there," White said. "I am so embarrassed. ... I couldn't live with knowing what these people knew about me."

Earlier this year, another Boston hospital, Massachusetts General Hospital, faced accusations that an employee lost records of 192 patients on the subway. The hospital in February settled the federal case for $1 million, according to the article.


UCLA Health System pays $865G to settle HIPAA violation charges
July 8, 2011
By Ken Terry

UCLA Health System has agreed to pay a fine of $865,000 and to develop a correction action plan to settle potential HIPAA privacy violations involving improper disclosures of medical records at its three hospitals, the federal Office of Civil Rights (OCR) reports.

OCR launched the investigation in 2009, following complaints by two unnamed celebrities that their medical records had been compromised. The government probe revealed that from 2005 to 2008, "unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients," according to an OCR press release.

The Los Angeles Times reports that violations allegedly occurred at all three UCLAHS hospitals: Ronald Reagan UCLA Medical Center, Santa Monica UCLA Medical Center, and Orthopaedic Hospital and Resnick Neuropsychiatric Hospital, which are regarded as a single unit.

The hospital had disclosed in April 2008 that it had discovered that several employees had snooped into the patient records of dozens of celebrities, including Britney Spears, Tom Cruise and Maria Shriver.

When the alleged violations came to light in 2008, the California legislature passed a law that imposed escalating fines on hospitals for patient privacy breaches. The state fined UCLAHS $95,000 in 2009, reportedly in connection with the medical records of the late Michael Jackson.

The UCLAHS settlement with OCR is much smaller than previous HIPAA settlements, including those involving CVS Caremark ($2.25 million) and Rite Aid ($1 million).

As part of its settlement, UCLAHS agreed to institute new security and privacy policies, improve employee training, take action against employees who violate privacy rules, and designate an independent monitor to oversee compliance.

In a statement, UCLAHS said, "The UCLA Health System considers patient confidentiality a critical part of our mission of patient care, teaching and research. Over the past three years, we have worked diligently to strengthen our staff training, implement enhanced data security systems and increase our auditing capabilities."


J Law Med Ethics. 2008 Fall;36(3):560-6. doi: 10.1111/j.1748-720X.2008.304.x.
Research on medical records without informed consent.
Miller FG.

Observational research involving access to personally identifiable data in medical records has often been conducted without informed consent, owing to practical barriers to soliciting consent and concerns about selection bias. Nevertheless, medical records research without informed consent appears to conflict with basic ethical norms relating to clinical research and personal privacy. This article analyzes the scope of these norms and provides an ethical justification for research using personally identifiable medical information without consent.

PMID: 18840249 [PubMed - indexed for MEDLINE]

No comments: