Cases & Commentaries

Security Lapse

Commentary By Daniel Mason, MD

The Case

A medical student learned that the hospital's
radiology image library was accessible throughout the university's
computer system, meaning that patient x-rays could be viewed in
dormitories, libraries, and at public terminals. Moreover, the
images were accessible through the Internet, on a Web site that
didn't require any user identification or password.

Concerned that the public accessibility of this
information constituted a violation of patient privacy, he alerted
another medical student who worked in the ethics department and
asked her to speak with her faculty mentor. She did, but relayed
that her mentor was unconcerned with this problem. During the
student's Health Insurance Portability and Accountability Act
(HIPAA) training, he again became concerned that, by not securing
patient privacy, the hospital was in violation of HIPAA regulations
and vulnerable to lawsuits. The student spoke with several faculty
members in the medicine department regarding his concerns. The
faculty members seemed surprised by the student's findings, but did
not advise him to contact the hospital's HIPAA compliance officers
nor undertake that action themselves.

Several months later, during the course of one of
the student's clinical clerkships, he again mentioned the lack of
security to an attending physician, who became very concerned and
contacted the head of the hospital's HIPAA compliance office.
Within hours, the office contacted the student for further
description of the violation, and within a week the security
problem was repaired. The total time elapsed between the student's
initial identification of the problem and the hospital's solution
was 18 months, several of which were after the April 2003 deadline
for HIPAA compliance.

The Commentary

This case represents a common situation in which
a medical student, having noticed an error, is confronted with the
problem of if, and how, to report it.

Communication failures commonly contribute to
medical errors. A recent study of communication failures among
medical residents described a complex mix of causes including the
medical hierarchy, role ambiguity, and interpersonal
dynamics.(1) A
medical student's role is simpler than a resident's in certain
respects—final decision-making always lies elsewhere, and one
has to negotiate the hierarchy only in one direction, ie,
responsibility cannot be delegated further. In other respects,
though, it is more complex, involving fears of punishment,
uncertainty of the hospital system, and a lack of medical

Fear of punishment—sometimes coupled with
the desire to impress—may influence a student's decision to
report an error or abuse. While I personally never heard of a
student being punished for reporting a mistake during my recently
completed 4 years of medical school, fear of punishment still
pervades many aspects of our training. (2) Yet, in error reporting, it is perception that
matters. Published studies show wide variations in abuse
perception.(3) I
know of multiple situations in which classmates or friends at a
variety of institutions have not "blown the whistle" on medical
mistakes or ethical violations because they feared "retribution."
Examples range from witnessing a non-sterile procedure or a
hurried, incomplete advance directive conversation; hearing
derogatory comments about a patient; or seeing a humiliating x-ray
displayed in a lounge with a patient's name attached. In each
instance, fear prevented the student from reporting the case:
concern that a consultant would be less willing to help in the
future, dread of public mockery from a senior resident, or even
fear of a bad evaluation. A certain degree of fear is "healthy";
for example, the fear of being yelled at by a scrub nurse helped
teach me to be vigilant about the sterile field. However, in other
situations, it may prevent a student from reporting an error or

Students may also hesitate to report errors
because they feel they lack the medical knowledge to question a
decision, reasoning that "It seemed wrong, but what do I know?"
Such a situation is quite common. Conversely, we have all witnessed
errors without even knowing, whether medical or ethical in nature.
In other situations, we may suspect an error has occurred, but not
know how to confirm it.

This particular case emphasizes the issue of a
student not knowing what to do. Students at my medical school are
given an orientation to HIPAA regulations—a
series of lectures and readings that seek to strike a balance
between too little and too much information. While such orientation
is sufficient to direct one generally to the regulations, it is
perhaps not enough to teach a student to feel certain that a
violation occurred. Thus, a student who wishes to confirm the HIPAA
rules might visit the Department of Health and Human Services (HHS)
Web site, where the summary of the rules runs 25 pages (4) and
the policy document itself almost twice that many.(5) It is unlikely that any student, especially while on
the wards, would find the time to parse this information. The fault
here lies neither with HHS, nor our HIPAA-education program.
Rather, just as medical errors have complicated causes, HIPAA is a
complex medico-legal matter, which often requires a consulting

Lack of knowledge of the hospital system
complicates the decision to report, and students are often on their
own when deciding how to report and to whom. To relate a personal
experience, I remember discovering a colonoscopy report for a
middle-aged Asian man filed in the computer system under the name
of another of my patients, a young African-American woman. I
noticed the mistake only because of the striking difference in the
patient's age, name, race, and health problems. When I attempted to
correct the error, each person I spoke to (in patient records,
computer services, etc.) forwarded me to someone else, until I at
last reached an answering machine (which couldn't pass me along
further). Similarly, in this case, the student has no clear party
to whom he can report the violation.

Several easy steps may not only facilitate
reporting, but also enlist the help of students to decrease medical
errors. Although students have limited medical knowledge, they have
two compensatory advantages: first, they are "close to the ground"
and may see errors that others would overlook. Second, students
generally have more time to spend with patients than their
supervising physicians. This opportunity for prolonged patient
contact provides a learning opportunity for students and gives
patients an opportunity to voice concerns. Departments should be
proactive in enlisting students in the fight against errors,
explaining on the first day of orientation that students' role
uniquely positions them to identify medical errors. Indeed,
reporting errors is one of the few ways that my classmates, often
just onlookers, have actually saved lives. Encouraging reporting
might lead to "false positives"—students reporting errors
where in fact none existed. But I can hardly imagine that this
would be so widespread as to create inefficiencies. Moreover,
student reports of errors that are not true mistakes could be used
as teaching opportunities.

For most medical errors, the most natural
reporting system is the team's hierarchy. For example, a student
can report to the resident, or to an attending physician. Early
active encouragement of error reporting would limit the fear of
punishment and the fear of being wrong. Otherwise, students could
be given a means of safe and anonymous reporting, now considered an
integral part of preventing medical errors, although with varied
effects.(6) To
help facilitate reporting in a case like this one, students should
be oriented to an "error ombudsman"—someone who knows how to
negotiate the system efficiently and report errors tactfully. This
need not be a separate position, but simply a physician or
administrator who is accessible to the students and knows the
reporting system. The more inefficient it is to report an error,
the fewer students will try. No one wants to be perceived as
disturbing an already-stressed system.

Daniel Mason, MD
UCSF School of Medicine, Class of 2004


1. Sutcliffe KM, Lewton E, Rosenthal MM.
Communication failures: an insidious contributor to medical
mishaps. Acad Med. 2004;79:186-94.[ go to PubMed ]

2. Kassebaum DG, Cutler ER. On the culture of
student abuse in medical school. Acad Med. 1998;73:1149-58.[ go to PubMed ]

3. Lebenthal A, Kaiserman I, Lernau O. Student
abuse in medical school: a comparison of students' and faculty's
perceptions. Isr J Med Sci. 1996;32:229-38.[ go to PubMed ]

4. United States Department of Health and Human
Services. OCR privacy brief. Summary of the HIPAA privacy rule.
Available at:
[ go to
related site
]. Accessed August 9, 2004.

5. United States Department of Health and Human
Services: Office for Civil Rights. Standards for privacy of
individually identifiable health information regulation text;
Security standards for the protection of electronic protected
health information; General administrative requirements including,
civil money penalties: procedures for investigations, imposition of
penalties, and hearings. Available at:
[ go to
related site
]. Accessed August 9, 2004.

6. Weingart SN, Callanan LD, Ship AN, Aronson MD.
A physician-based voluntary reporting system for adverse events and
medical errors. J Gen Intern Med. 2001;16:809-14.[ go to PubMed ]