Skip to main content

Security Lapse



Daniel Mason, MD | September 1, 2004

The Case

A medical student learned that the hospital's radiology image library was accessible throughout the university's computer system, meaning that patient x-rays could be viewed in dormitories, libraries, and at public terminals. Moreover, the images were accessible through the Internet, on a Web site that didn't require any user identification or password.

Concerned that the public accessibility of this information constituted a violation of patient privacy, he alerted another medical student who worked in the ethics department and asked her to speak with her faculty mentor. She did, but relayed that her mentor was unconcerned with this problem. During the student's Health Insurance Portability and Accountability Act (HIPAA) training, he again became concerned that, by not securing patient privacy, the hospital was in violation of HIPAA regulations and vulnerable to lawsuits. The student spoke with several faculty members in the medicine department regarding his concerns. The faculty members seemed surprised by the student's findings, but did not advise him to contact the hospital's HIPAA compliance officers nor undertake that action themselves.

Several months later, during the course of one of the student's clinical clerkships, he again mentioned the lack of security to an attending physician, who became very concerned and contacted the head of the hospital's HIPAA compliance office. Within hours, the office contacted the student for further description of the violation, and within a week the security problem was repaired. The total time elapsed between the student's initial identification of the problem and the hospital's solution was 18 months, several of which were after the April 2003 deadline for HIPAA compliance.

The Commentary

This case represents a common situation in which a medical student, having noticed an error, is confronted with the problem of if, and how, to report it.

Communication failures commonly contribute to medical errors. A recent study of communication failures among medical residents described a complex mix of causes including the medical hierarchy, role ambiguity, and interpersonal dynamics.(1) A medical student's role is simpler than a resident's in certain respects—final decision-making always lies elsewhere, and one has to negotiate the hierarchy only in one direction, ie, responsibility cannot be delegated further. In other respects, though, it is more complex, involving fears of punishment, uncertainty of the hospital system, and a lack of medical knowledge.

Fear of punishment—sometimes coupled with the desire to impress—may influence a student's decision to report an error or abuse. While I personally never heard of a student being punished for reporting a mistake during my recently completed 4 years of medical school, fear of punishment still pervades many aspects of our training. (2) Yet, in error reporting, it is perception that matters. Published studies show wide variations in abuse perception.(3) I know of multiple situations in which classmates or friends at a variety of institutions have not "blown the whistle" on medical mistakes or ethical violations because they feared "retribution." Examples range from witnessing a non-sterile procedure or a hurried, incomplete advance directive conversation; hearing derogatory comments about a patient; or seeing a humiliating x-ray displayed in a lounge with a patient's name attached. In each instance, fear prevented the student from reporting the case: concern that a consultant would be less willing to help in the future, dread of public mockery from a senior resident, or even fear of a bad evaluation. A certain degree of fear is "healthy"; for example, the fear of being yelled at by a scrub nurse helped teach me to be vigilant about the sterile field. However, in other situations, it may prevent a student from reporting an error or abuse.

Students may also hesitate to report errors because they feel they lack the medical knowledge to question a decision, reasoning that "It seemed wrong, but what do I know?" Such a situation is quite common. Conversely, we have all witnessed errors without even knowing, whether medical or ethical in nature. In other situations, we may suspect an error has occurred, but not know how to confirm it.

This particular case emphasizes the issue of a student not knowing what to do. Students at my medical school are given an orientation to HIPAA regulations—a series of lectures and readings that seek to strike a balance between too little and too much information. While such orientation is sufficient to direct one generally to the regulations, it is perhaps not enough to teach a student to feel certain that a violation occurred. Thus, a student who wishes to confirm the HIPAA rules might visit the Department of Health and Human Services (HHS) Web site, where the summary of the rules runs 25 pages (4) and the policy document itself almost twice that many.(5) It is unlikely that any student, especially while on the wards, would find the time to parse this information. The fault here lies neither with HHS, nor our HIPAA-education program. Rather, just as medical errors have complicated causes, HIPAA is a complex medico-legal matter, which often requires a consulting authority.

Lack of knowledge of the hospital system complicates the decision to report, and students are often on their own when deciding how to report and to whom. To relate a personal experience, I remember discovering a colonoscopy report for a middle-aged Asian man filed in the computer system under the name of another of my patients, a young African-American woman. I noticed the mistake only because of the striking difference in the patient's age, name, race, and health problems. When I attempted to correct the error, each person I spoke to (in patient records, computer services, etc.) forwarded me to someone else, until I at last reached an answering machine (which couldn't pass me along further). Similarly, in this case, the student has no clear party to whom he can report the violation.

Several easy steps may not only facilitate reporting, but also enlist the help of students to decrease medical errors. Although students have limited medical knowledge, they have two compensatory advantages: first, they are "close to the ground" and may see errors that others would overlook. Second, students generally have more time to spend with patients than their supervising physicians. This opportunity for prolonged patient contact provides a learning opportunity for students and gives patients an opportunity to voice concerns. Departments should be proactive in enlisting students in the fight against errors, explaining on the first day of orientation that students' role uniquely positions them to identify medical errors. Indeed, reporting errors is one of the few ways that my classmates, often just onlookers, have actually saved lives. Encouraging reporting might lead to "false positives"—students reporting errors where in fact none existed. But I can hardly imagine that this would be so widespread as to create inefficiencies. Moreover, student reports of errors that are not true mistakes could be used as teaching opportunities.

For most medical errors, the most natural reporting system is the team's hierarchy. For example, a student can report to the resident, or to an attending physician. Early active encouragement of error reporting would limit the fear of punishment and the fear of being wrong. Otherwise, students could be given a means of safe and anonymous reporting, now considered an integral part of preventing medical errors, although with varied effects.(6) To help facilitate reporting in a case like this one, students should be oriented to an "error ombudsman"—someone who knows how to negotiate the system efficiently and report errors tactfully. This need not be a separate position, but simply a physician or administrator who is accessible to the students and knows the reporting system. The more inefficient it is to report an error, the fewer students will try. No one wants to be perceived as disturbing an already-stressed system.

Daniel Mason, MD UCSF School of Medicine, Class of 2004


1. Sutcliffe KM, Lewton E, Rosenthal MM. Communication failures: an insidious contributor to medical mishaps. Acad Med. 2004;79:186-94.[ go to PubMed ]

2. Kassebaum DG, Cutler ER. On the culture of student abuse in medical school. Acad Med. 1998;73:1149-58.[ go to PubMed ]

3. Lebenthal A, Kaiserman I, Lernau O. Student abuse in medical school: a comparison of students' and faculty's perceptions. Isr J Med Sci. 1996;32:229-38.[ go to PubMed ]

4. United States Department of Health and Human Services. OCR privacy brief. Summary of the HIPAA privacy rule. Available at: [ go to related site ]. Accessed August 9, 2004.

5. United States Department of Health and Human Services: Office for Civil Rights. Standards for privacy of individually identifiable health information regulation text; Security standards for the protection of electronic protected health information; General administrative requirements including, civil money penalties: procedures for investigations, imposition of penalties, and hearings. Available at: [ go to related site ]. Accessed August 9, 2004.

6. Weingart SN, Callanan LD, Ship AN, Aronson MD. A physician-based voluntary reporting system for adverse events and medical errors. J Gen Intern Med. 2001;16:809-14.[ go to PubMed ]

This project was funded under contract number 75Q80119C00004 from the Agency for Healthcare Research and Quality (AHRQ), U.S. Department of Health and Human Services. The authors are solely responsible for this report’s contents, findings, and conclusions, which do not necessarily represent the views of AHRQ. Readers should not interpret any statement in this report as an official position of AHRQ or of the U.S. Department of Health and Human Services. None of the authors has any affiliation or financial involvement that conflicts with the material presented in this report. View AHRQ Disclaimers


Related Resources