By Wilson Dunlop [Pseudonym].<\/p>\n
Just two weeks into my third-year of medical school, I committed a grave sin. I was alone in my room on my laptop, familiarizing myself with the software that powered the electronic health record (EHR). It was like any other night\u2014a mixture of laziness and productivity and needless juggling between my electronic devices\u2014except on this day a thought crept into my mind while using the EHR\u2019s search engine. \u201cCan this thing look up anybody\u2019s<\/em> medical record?\u201d I got curious, and it led me astray. Next thing I knew, a friend\u2019s face popped in my head, likely from having just seen this individual\u2019s Instagram profile on my downtime, and I started typing. To my surprise, the friend\u2019s name showed up in the search field. I hesitated. I was tempted. And with one simple click, I fell down a rabbit hole I wish I never knew existed.<\/p>\n In that moment, it didn\u2019t occur to me that I had violated the Health Insurance Portability & Accountability Act (HIPAA), a U.S. federal law that protects individual\u2019s medical records. I didn\u2019t know any better. It felt like a peek, like opening Facebook to quickly check the status of my friends. Because I was a healthcare worker, somehow it felt justified. I knew it wasn\u2019t okay to share the information I had accessed to anybody else. That part was clear from the online trainings and hospital elevator signs. But when the boundary between your personal and professional life blurs for the first time without repercussion, it becomes hard to escape from it. A few months later, I found myself going down the same rabbit hole. Another quick peek. And again a few months after that. It was the same scenario\u2014just me on my laptop, bored, with nobody to yell at my face that this was morally wrong. There were no clear warning signs. I couldn\u2019t course-correct. It took nearly a year to finally come to my senses, when a privacy monitoring technology picked up on my suspicious behavior, and I received a notice from the medical school.<\/p>\n By this point, I was a fourth-year medical student getting ready to apply for residency. The privacy technology flagged three charts I had accessed a week prior. The names of those patients were underlined in the notice\u2014they were my friends. My heart sank. Afterward, I had a meeting with a HIPAA privacy officer, who probed about my access with a cold-eyed stare. I was scared. I admitted to the access, citing curiosity and boredom. But at the end of our conversation, the officer asked a question I feared the most: \u201cAre there more than these three?\u201d I paused, as my body\u2019s fight-or-flight response kicked in. In a low voice, I said no. It was the biggest lie I had ever told in my life. The larger truth was overwhelmingly shameful. I prayed that they would never find out. I promised myself that something like this will never happen again. I made a mistake. I\u2019m not a bad person. I thought I had learned my lesson already.<\/p>\n Every access, every click, and every search you make is documented. I know this because in my next meeting with the HIPAA officer, an excel sheet was presented to me, showing exactly what I feared\u2014all my access from prior dates. The evidence was clear. I knew I had to let my guard down. The officer wanted a motive, however, and kept pressing me until she got one. She was convinced that there was something inherently wrong with me as a person. I felt stuck because my motive wasn\u2019t anything malicious\u2014it was curiosity gone too far. Yet the officer\u2019s eyes were filled with disgust. In turn, I began to feel disgusted at myself. The weight of what I had done became too heavy to bear. It was then I learned the lowest point of your life isn\u2019t when you lose what\u2019s most precious to you, but when your self-hatred overtakes your will to live. The next time I met with the HIPAA officer was at a hearing in front of 15 deans and professors of the medical school, where my fate was determined. I was charged for having a lack of honesty and integrity, violating the School\u2019s Code of Conduct, and violating a federal law.<\/p>\n The hearing lasted over two hours. It was stressful and emotional. My violation was read out loud by the HIPAA officer in front of the entire hearing committee. I sat there, face down, feeling completely naked, shackled to my chair with intense shame and guilt. When it was my turn to speak, I pleaded guilty. I asked for a second chance because I had no other choice. The most difficult part was when one of the committee members\u2014a former teacher of mine\u2014said to me, \u201cI regarded you as one of my best students in my 25 years of teaching. I am shocked.\u201d All I could really say in response was that I was sorry.<\/p>\n The wait after the hearing felt like a lifetime. I met with the Dean of Student Affairs, and by this point, we had seen each other more times than we can count. I learned to read her facial expressions, and before she even said a word, I already sensed the dread that was coming my way. Despite how tightly I clung onto hope, deep down, I knew that there was only one appropriate sanction for a violation like this. What wasn\u2019t evident before was now crystal clear to me then: intentional and unauthorized access of protected health information is a serious HIPAA violation and grounds for termination. So, on the day after my residency application was due, I was dismissed from the medical school. My career as a physician ended before it had even started. Strangely, after hearing this outcome, I had a rush of relief. The emotional burden that was the last two months was finally over, or so I thought. That relief was short-lived.<\/p>\n Losing my dream, my career, my community, my friends\u2014my identity\u2014this way generated an enormous amount of grief. I felt worthless, undeserving of living life. Things didn\u2019t end there. By law, the HIPAA office was required to notify every affected individual that a breach of their medical record had occurred. The possibility that my shameful act could be exposed to my entire social and professional circle felt like a life sentence. Dark thoughts clouded my mind. It was tormenting. It took time, but somehow, I was able to hold on and find a way to move forward. I still live with regret each day, not because of the losses I experienced, but because people were hurt though my actions. While it was never my intention to cause pain, there is simply no excuse for my behavior. I disregarded the impact of my actions. I invaded someone\u2019s privacy without their consent and abused a power that was meant solely for the benefit of patients. I failed to recognize that my friends are also patients with every right to have their information kept private. What I did was inappropriate and a clear lapse of judgement. I also hated the fact that I couldn\u2019t be fully transparent about my wrongdoing when it first came to everyone\u2019s attention. All I was thinking back then was to protect myself, which neither served myself nor anyone else any good.<\/p>\n For the first time, out of desperation, I sought therapy. I didn\u2019t know who I was anymore or how to make peace with myself. Until now, I took a lot of pride in being a good, decent person. I was considerate of others and worked hard to make a positive contribution to this world. Why then did I feel compelled to snoop on my friends? Why did I minimize my wrongdoing when this matter first arose? Those were questions I worked through tirelessly with my therapist. Digging up my deep-rooted insecurities wasn\u2019t easy but felt necessary. It dramatically changed my relationship with social media, loneliness, my ego, and my loved ones. It helped me realize the importance of taking care of your mental well-being.<\/p>\n Six months after my violation came to light, I requested to meet with the HIPAA officer once last time. It was important that I unpack the damage caused through my actions and understand the victim\u2019s perspective. What I learned was how much distress\u2014and in particular fear<\/em>\u2014that was felt by those affected. I found out that I made people feel targeted and attacked. I found out that I made someone\u2019s parents fear for their child\u2019s safety. Ultimately, it doesn\u2019t matter what my intentions were. The outcome doesn\u2019t change. My actions still represent a violation of patient privacy and of a federal regulation. My actions still triggered a lot of emotional pain. As the saying goes, actions have consequences.<\/p>\n A mentor of mine once said, \u201cFailure happens. It\u2019s how you bounce back from failure that\u2019s important.\u201d \u00a0To me, that meant to accept my penalty, take full responsibility, educate myself on the privacy laws and why they exist, apologize to those affected, and strive to become a better person. By sharing my story, I hope to let people know that one\u2019s health information is sacred and should always be treated as such.<\/p>\n <\/p>\n