Case Study: At a teaching hospital, many medical students may be assigned to a single patient to review and learn from the cases that are present in the hospital with hands-on experience. However, access to medical records is only allowed if you are actually assigned to the case. It is a policy that is reviewed at the start of each clinical rotation, and violations of this policy are monitored through the IT access logs. Violations of this policy are taken very seriously, up to an including expulsion from med school.

There was a patient who was bitten by a bat and developed rabies. Rabies is common in animals, but nearly always fatal in humans. A physician proposed a very unconventional treatment, and the patient lived. This made medical history and became a medical case study that was reviewed in many medical forums, including grand rounds (where many physicians come to hear about new technologies and treatments). After this particular grand round, the IT performed a medical records access audit. Even though the information about the case was already shared with everyone in grand rounds, there was a spike in the number of medical students accessing the patient's chart. Over 50 unauthorized accesses were discovered shortly in the week following the presentation.

When confronted about their privacy violations of the medical records, students were often genuinely surprised, and felt that this was a legitimate reason for accessing a patient's chart - to learn more about the case (after all, they were there to learn!) The access policies were re-written to include this as a specific example of violations, and the students were given a severe warning in their student files. A second violation would result in their expulsion from medical school.

• Were the students right or wrong to access the chart?
• Was the access audit effective? Was the policy effective?
• What other types of situations lead to violations of a privacy policy?
• Are audits the best way to manage these?
• When you know that a person may lose their job as a result of the audit that you perform but you know more of the reasoning why they did the violation, does this create an ethical dilemma for you?