INF SEC: PLEASE HELP ME WITH Case Study: At a teaching hospital, many medical st
ID: 3890227 • Letter: I
Question
INF SEC: PLEASE HELP ME WITH Case Study: At a teaching hospital, many medical students may be assigned to a single patient to review and learn from the cases that are present in the hospital with hands on experience. However, access to medical records is only allowed if you are actually assigned to the case. It is a policy that is reviewed at the start of each clinical rotation, and violations of this policy are monitored through the IT access logs. Violations of this policy are taken very seriously, up to an including expulsion from med school. There was a patient who was bit by a bat and developed rabies. Rabies is common in animals, but nearly always fatal in humans. A physician proposed a very unconventional treatment, and the patient lived. This made medical history and became a medical case study that was reviewed in many medical forums, including grand rounds (where many physicians come to hear about new technologies and treatments). After this particular grand round, the IT performed a medical records access audit. Even through the information about the case was already shared with everyone in grand rounds, there was a spike in the number of medical students accessing the patient's chart. Over 50 unauthorized accesses were discovered shortly in the week following the presentation. When confronted about their privacy violations of the medical records, students were often genuinely surprised, and felt that this was a legitimate reason for accessing a patient's chart - to learn more about the case (after all, they were there to learn!) The access policies were re-written to include this as a specific example of violations, and the students were given a severe warning in their student files. A second violation would result in their expulsion from medical school. Were the students right or wrong to access the chart? Was the access audit effective? Was the policy effective? What other types of situations lead to violations of a privacy policy? Are audits the best way to manage these? When you know that a person may lose their job as a result of the audit that you perform but you know more of the reasoning why they did the violation, does this create an ethical dilemma for you?
Explanation / Answer
I feel that the students weren't right for accessing the charts. It was very clearly mentioned and explained to them that this is against the policies of the hosptal adn they were being trained in the hospital only after agreeing to the institute's policies. The hospital probably would've released this data and the records if they thought it was something very important that they should all know.
Yes, the access audit was effective. It was a loophole in the system that ws being pointed out and due to this, it could be given another thought.
The policy was very effective as it shows integrity and trust on the student's part. On very clearly mentioning that the records should not be directy accessed, they did re-evaluate their policies and let the students off with a warning.
In cases where a theft has occured and the list of visitors HAVE to be disclosed, medical records of someone who has disappeared needs to be disclosed on request by forensic doctors or personal details of a student are sold by institutes for profits.
The ethical dilemma can be understood much better if you realize that overlooking the problem shows lack of integrity on your part and your disrespect towards the job. It can end up with you losing your job for not doing it well enough.