In an interesting twist, the woman alleged that her husband, who worked at the hospital, was able to access her EMR and share them with a co-worker. This was not just any co-worker. Allegedly, it was a co-worker with whom the husband was having an affair.
In what can, at best, be classified as a moral victory, the judge held that while an invasion of privacy may have occurred, there was no evidence that the hospital violated the law.
The woman’s theory was that the hospital had falsely represented that it properly safeguarded EMR in order to obtain funding under HITECH (Health Information Technology for Economic and Clinical Health Act), which encourages hospitals to use electronic records. She claimed that the hospital should have been more diligent in checking for security breaches.
In dismissing her claim, the court held that there was nothing in HITECH that required the hospital to check for breaches more often.
The takeaway? This underscores the importance of having safeguards in place to limit who can access a patient’s EMR. There is a specific federal regulation which requires just such a thing. According to 45 C.F.R. 164.312 (a)(1), a covered entity must implement technical policies and procedures for systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights.