By Wilson Dunlop [Pseudonym].
Just two weeks into my third-year of medical school, I committed a grave sin. I was alone in my room on my laptop, familiarizing myself with the software that powered the electronic health record (EHR). It was like any other night—a mixture of laziness and productivity and needless juggling between my electronic devices—except on this day a thought crept into my mind while using the EHR’s search engine. “Can this thing look up anybody’s medical record?” I got curious, and it led me astray. Next thing I knew, a friend’s face popped in my head, likely from having just seen this individual’s Instagram profile on my downtime, and I started typing. To my surprise, the friend’s name showed up in the search field. I hesitated. I was tempted. And with one simple click, I fell down a rabbit hole I wish I never knew existed.
In that moment, it didn’t occur to me that I had violated the Health Insurance Portability & Accountability Act (HIPAA), a U.S. federal law that protects individual’s medical records. I didn’t know any better. It felt like a peek, like opening Facebook to quickly check the status of my friends. Because I was a healthcare worker, somehow it felt justified. I knew it wasn’t okay to share the information I had accessed to anybody else. That part was clear from the online trainings and hospital elevator signs. But when the boundary between your personal and professional life blurs for the first time without repercussion, it becomes hard to escape from it. A few months later, I found myself going down the same rabbit hole. Another quick peek. And again a few months after that. It was the same scenario—just me on my laptop, bored, with nobody to yell at my face that this was morally wrong. There were no clear warning signs. I couldn’t course-correct. It took nearly a year to finally come to my senses, when a privacy monitoring technology picked up on my suspicious behavior, and I received a notice from the medical school.
By this point, I was a fourth-year medical student getting ready to apply for residency. The privacy technology flagged three charts I had accessed a week prior. The names of those patients were underlined in the notice—they were my friends. My heart sank. Afterward, I had a meeting with a HIPAA privacy officer, who probed about my access with a cold-eyed stare. I was scared. I admitted to the access, citing curiosity and boredom. But at the end of our conversation, the officer asked a question I feared the most: “Are there more than these three?” I paused, as my body’s fight-or-flight response kicked in. In a low voice, I said no. It was the biggest lie I had ever told in my life. The larger truth was overwhelmingly shameful. I prayed that they would never find out. I promised myself that something like this will never happen again. I made a mistake. I’m not a bad person. I thought I had learned my lesson already.
Every access, every click, and every search you make is documented. I know this because in my next meeting with the HIPAA officer, an excel sheet was presented to me, showing exactly what I feared—all my access from prior dates. The evidence was clear. I knew I had to let my guard down. The officer wanted a motive, however, and kept pressing me until she got one. She was convinced that there was something inherently wrong with me as a person. I felt stuck because my motive wasn’t anything malicious—it was curiosity gone too far. Yet the officer’s eyes were filled with disgust. In turn, I began to feel disgusted at myself. The weight of what I had done became too heavy to bear. It was then I learned the lowest point of your life isn’t when you lose what’s most precious to you, but when your self-hatred overtakes your will to live. The next time I met with the HIPAA officer was at a hearing in front of 15 deans and professors of the medical school, where my fate was determined. I was charged for having a lack of honesty and integrity, violating the School’s Code of Conduct, and violating a federal law.
The hearing lasted over two hours. It was stressful and emotional. My violation was read out loud by the HIPAA officer in front of the entire hearing committee. I sat there, face down, feeling completely naked, shackled to my chair with intense shame and guilt. When it was my turn to speak, I pleaded guilty. I asked for a second chance because I had no other choice. The most difficult part was when one of the committee members—a former teacher of mine—said to me, “I regarded you as one of my best students in my 25 years of teaching. I am shocked.” All I could really say in response was that I was sorry.
The wait after the hearing felt like a lifetime. I met with the Dean of Student Affairs, and by this point, we had seen each other more times than we can count. I learned to read her facial expressions, and before she even said a word, I already sensed the dread that was coming my way. Despite how tightly I clung onto hope, deep down, I knew that there was only one appropriate sanction for a violation like this. What wasn’t evident before was now crystal clear to me then: intentional and unauthorized access of protected health information is a serious HIPAA violation and grounds for termination. So, on the day after my residency application was due, I was dismissed from the medical school. My career as a physician ended before it had even started. Strangely, after hearing this outcome, I had a rush of relief. The emotional burden that was the last two months was finally over, or so I thought. That relief was short-lived.
Losing my dream, my career, my community, my friends—my identity—this way generated an enormous amount of grief. I felt worthless, undeserving of living life. Things didn’t end there. By law, the HIPAA office was required to notify every affected individual that a breach of their medical record had occurred. The possibility that my shameful act could be exposed to my entire social and professional circle felt like a life sentence. Dark thoughts clouded my mind. It was tormenting. It took time, but somehow, I was able to hold on and find a way to move forward. I still live with regret each day, not because of the losses I experienced, but because people were hurt though my actions. While it was never my intention to cause pain, there is simply no excuse for my behavior. I disregarded the impact of my actions. I invaded someone’s privacy without their consent and abused a power that was meant solely for the benefit of patients. I failed to recognize that my friends are also patients with every right to have their information kept private. What I did was inappropriate and a clear lapse of judgement. I also hated the fact that I couldn’t be fully transparent about my wrongdoing when it first came to everyone’s attention. All I was thinking back then was to protect myself, which neither served myself nor anyone else any good.
For the first time, out of desperation, I sought therapy. I didn’t know who I was anymore or how to make peace with myself. Until now, I took a lot of pride in being a good, decent person. I was considerate of others and worked hard to make a positive contribution to this world. Why then did I feel compelled to snoop on my friends? Why did I minimize my wrongdoing when this matter first arose? Those were questions I worked through tirelessly with my therapist. Digging up my deep-rooted insecurities wasn’t easy but felt necessary. It dramatically changed my relationship with social media, loneliness, my ego, and my loved ones. It helped me realize the importance of taking care of your mental well-being.
Six months after my violation came to light, I requested to meet with the HIPAA officer once last time. It was important that I unpack the damage caused through my actions and understand the victim’s perspective. What I learned was how much distress—and in particular fear—that was felt by those affected. I found out that I made people feel targeted and attacked. I found out that I made someone’s parents fear for their child’s safety. Ultimately, it doesn’t matter what my intentions were. The outcome doesn’t change. My actions still represent a violation of patient privacy and of a federal regulation. My actions still triggered a lot of emotional pain. As the saying goes, actions have consequences.
A mentor of mine once said, “Failure happens. It’s how you bounce back from failure that’s important.” To me, that meant to accept my penalty, take full responsibility, educate myself on the privacy laws and why they exist, apologize to those affected, and strive to become a better person. By sharing my story, I hope to let people know that one’s health information is sacred and should always be treated as such.
Author: Wilson Dunlop [Pseudonym]
Competing interests: None declared.