EMS COMMUNITY CALLS FOR HEARINGS ON PATIENT PRIVACY BREACH BY DEPARTMENT OF HEALTH
Department of Health personnel provided unlimited access to patient records to the New Jersey State Police Fatal Accident Reporting System
December 22, 2021, Trenton, New Jersey – A volunteer first aid squad blew the whistle on back-door access to an electronic medical records system used by ambulances around the State that was given by the Department of Health, Office of EMS, to the New Jersey State Police, Fatal Accident Reporting System. The reasons that the State Police were accessing this medical information remain unclear.
The Lincoln Park First Aid Squad, along with other squads that belong to the EMS Council of New Jersey 17th and 18th Districts, inadvertently discovered that this access existed in November as it was never publicly disclosed. This high-level “administrator” access allowed members of the State Police to see the medical records for any patients transported by the Squad without any oversight or limitation. The ImageTrend electronic medical record system, which was used by the Squad at the time, is provided by the Department of Health free of charge to many ambulance providers across the State. That improper access was quickly and quietly removed by the Department, but not before the privacy breach was noted and evidence of the access was preserved.
Federal HIPAA regulations require the Squad to report to the U.S. Department of Health and Human Services any instances in which medical records were accessed without proper authorization. The Squad, through its attorneys Keavney & Streger, LLC, contacted Dr. Terry Clancy, Director of the Office of EMS, to obtain information and determine the nature and scope of the medical records accessed. Rather than provide details to facilitate the investigation, Director Clancy responded that this was normal business under a separate data sharing agreement which has strict limits on the type of information accessible related to opioid overdoses. Instead, this appeared to be a completely new granting of blanket access to any medical record without controls. Rather of answering these reasonable questions, the Squad and its members were threatened with discipline for pausing data sharing with the State to ensure privacy protections during the investigation.
The Squad contacted Commissioner Judith Persichilli with these concerns, but no reply whatsoever was received to that request. As a result, the Squad has requested formal hearings on this topic in the Senate and Assembly Health Committees.
“The Squad needs to know the scope of this improper access to conduct its federally-mandated data breach investigation. But more importantly, the public has a right to know what medical records were accessed, and why, and if that access is still happening today,” said Matthew R. Streger, Esq., attorney for the Squad. “During this pandemic, the last thing we need is patients not calling 911 for fear that their medical records are going to be looked at by unauthorized persons, especially law enforcement. There is no reason for this to have occurred, and we must make sure that it never happens again.”