Ethics in Medical Records Access
There has been some discussion over whether Jesse Signal and his source, Jamie Reed, violated HIPAA policies in this piece. I want to explore why there might be some confusion on this issue, what likely occurred, and how we should think about escalation / whistle-blower cases like this.
My conclusions:
Reed almost definitely violated Washington University (Wash U) / BJC policies on data handling and patient privacy by maintaining the spreadsheet and sharing it with Signal.
This does not necessarily imply that either she or Signal violated HIPAA.
We should think carefully about the implications of using HIPAA and company policies to dismiss whistleblowers.
To get a few caveats out of the way:
I worked at BJC, the parenting company of St. Louis Childrens Hospital over a decade ago, on the clinical systems. These have almost certainly since been replaced. I continue to work in Big Tech e-commerce, with its own set of privacy policies.
I am not a lawyer, nor an expert in the actual HIPAA statute, or case law thereof.
I am generally sympathetic to Signal’s reporting on these issues, or, to be more precise unsympathetic to some of this most vociferous critics.
I have and undergraduate degree from Washington University, and my daughter has a pending application to attend there in the fall.
I think a good deal of the confusion on this issue is a failure to distinguish between the policies and entity like BJC or Wash U establishes to ensure compliance with HIPAA and the statute itself.
HIPAA sets forth activities that are criminal; companies establish their own policies to ensure they remain compliant (and, hopefully, out of an abiding commitment to patient privacy) that are likely inside some buffer of the letter of the law.
I spent my summers managing a large food stand at Six Flags in New Jersey. About half the workers were under 18, and state law mandated rules about how many hours they could work in a day, how long they could go without a break. Six Flags established policies inside of those so that there was a buffer in the case of an accident.
In the case of HIPAA, when I worked at BJC, I was warned (and warned others) that we must never access patient records without a specific work-related reason to do so (even our own or our children’s), or take data out of the controlled systems. We had to regularly acknowledge these policies and assent to them. (The same is true in my current job in Big Tech e-commerce.) I considered violating these policies to be just grounds for termination.
Such trainings do not distinguish between what is strictly required by the statutes and what are requirements imposed by the company to ensure compliance, so for most people receiving such trainings, the line between them becomes blurry. In reality, I could have gotten fired if I had accessed my daughter’s test results, but it would not have been a crime. But as far as I was concerned, that was a distinction without a difference. Both termination and criminal prosecution were consequences I was not willing to risk. So, it was in the bucket of “HIPAA violations.”
I think this blurring is in play for a lot of the HIPAA speculation surrounding Signal and Reed. Many of us have had HIPAA training over the years, and Reed’s activities certainly smack of those we were instructed were prohibited.
Wash U and BJC almost certainly still have policies in place that employees are not to access patient data without a specific clinical purpose, and by accessing this to build her spreadsheet, Reed almost certainly violated it. And by transferring it from the audited and controlled system to an unmanaged spreadsheet, she almost certainly violated another policy. And sharing that data with Signal, even in anonymized form, likely violated another policy, though this is more about intellectual property than privacy.
Whether these actions constitute statutory violations depends on how effective the purging of personal information was from it, and at what stages this anonymization was done. Signal’s reporting leaves open the possibility that the data was sufficiently anonymized to stay clear of a violation, but that is not something I am qualified to evaluate, nor am I inclined to wade into those details. I will say I am skeptical that Reed managed to maintain strict compliance with the statute absent legal guidance.
So, how should we feel about this?
If we read HIPAA as strictly as these critics would have us do so, it seems that it would prevent activities necessary to ensure the health care system is operating well.
Let’s say that someone working on a hospital floor observes that a lot of people admitted to that unit develop staph infections. She raises this concern to her supervisor, who dismisses her concerns as just a few anecdotes. If we adopt the reading of HIPAA that these critics put forward, it would prevent her from accessing patient records to build a data-supported case that there is in fact a problem, or from further escalating her concerns (including with outside agents) if she continues to be ignored. That seems like a bad thing.
To get on the other side of the culture war, a common thread of criticism of Signal’s work on these issues is that it is cited by red state legislatures when they impose restrictions on care for trans youth. It seems that it would be helpful to the cause of overturning these laws to demonstrate that they lead to bad clinical outcomes for trans youth. This type of use of HIPAA would prevent a concerned clinician from building and sharing a data-driven case that these policies are harmful. The same with stories of women with complications being denied abortions. It seems unwise for those opposed to these laws to deny themselves this tool. And If HIPAA really does prevent such whistle-blowing, that is a bug, not a feature, and it should be updated.
More broadly, it is very concerning to see journalists expressing glee at the idea of a journalist or whistle-blower being punished for a technicality in exposing the activities of a big company. None of the actual patients has come forward alleging harm or complaining about a breach of privacy. It is a pretext to get people to shut up. Almost every exposure that relied on inside information included some breach of either policy or law. Discussions of those revelations do not center on whether they violated some corner of the law, nor should they.