Unprotected Tragedy

Veriphyr proactively reports impermissible use of PHI the first time it happens.

 

A Family’s Tragedy

After the gate at a public swimming pool was accidentally left open, Denise and Wayne Russell’s adopted son, Keon, wandered into the water and drowned. He was rushed to McAlester Regional Health Center. There he died at two years old.

Keon’s birth mother called and verbally threatened the Russell’s when the hospital told her about the death.

When the Russell’s adopted Keon in July 2015, his birth mother forfeited all parental rights. As a result, the hospital should not have notified her of the boy’s death.

First, the Russell’s filed a protective order against the birth mother. Next, they sued the hospital. The lawsuit against the hospital asks for $150,000 in damages for “extreme emotional distress” and negligence in protecting their sons personal health information (PHI).

(a) 

 

What Happened at the Hospital

Keon’s records were too easily impermissibly accessed.

One food worker had access to the hospitals electronic health record (EHR) system in order to check the dietary requirements and room numbers of patients. Allegedly, this worker had been told to write down her login credentials on a sticky note and post it on the computer, so other workers could access the EHR system.

On the day he was admitted, those credentials were used to access Keon’s records multiple times. The worker with the posted credentials was off duty that day, however. Labor and delivery department records were impermissibly accessed, as well.

It is surprising how poorly protected Keon’s records had been. Due to the tragedy, Keon’s hospitalization probably received a flurry of attention. In general, patient’s associated with a lot of publicity are at a higher risk to have their privacy breached.

Advanced data analytics, like those provided by Veriphyr, can proactively identify cases of impermissible access – even from the account of someone who had appropriate access at one point.

Even so, the Russell’s cannot sue for a HIPAA violation due to a precedent set a couple months earlier.

 

The Legal Precedent 

The precedent establishing no private right of action under HIPAA came about in June. Hope Lee-Thomas brought a case against LabCorp for failing to protect her PHI from public view at their Providence Hospital intake station. The judge dismissed the lawsuit.

Lee-Thomas informed LabCorp and Providence Hospital about the potential violation, then filed a complaint with Health and Human Services (HHS). HHS denied her claim.

The lawsuit against LabCorp was moved to the US District Court for the District of Columbia. The judge, US District Court Judge Rudolph Contreras ruled that HIPAA “specifically limits enforcement action to HHS and individual states’ attorneys general”.

However, lawsuits in some states have allowed for individuals to file negligence claims involving their PHI. Back in 2011, the US District Court of Eastern Missouri refused to dismiss a case against Washington University. The court allowed the plaintiff to proceed with a “negligence per se” claim. The Russell’s have used this precedent to file for negligence on Keon’s behalf.

McAlester Regional Health Center, in response to the Russell’s case, denies all allegations.

(b)

 

Private Lawsuits

Back in 2011, a former patient filed a civil lawsuit against Rowan Regional Medical Center in Salisbury, North Carolina for negligence, defamation, slander, and invasion of privacy. Also named in the lawsuit are the hospital’s corporate parent and two hospital employees.

The plaintiff alleged that the hospital inappropriately used and disclosed her electronic protected health information (ePHI) and a hospital employee harassed her and her family.

She asked for punitive and compensatory damages of at least $10,000 from each defendant, as well as a restraining order and injunction preventing the defendants from disclosing or disseminating any of her confidential health records.

Separately, the former patient filed a HIPAA Privacy Rule complaint with the U.S. Department of Health and Human Services Office for Civil Rights (HSS/OCR). The patient privacy audit conducted as a result did not show any hospital employees had inappropriately accessed the patient’s electronic medical records (EMR).

While Federal investigators found no violation, the hospital has agreed to provide training on safeguarding the privacy of electronic health records (EHR) to the employees in the departments covered by the complaint.

(c)

 

Sources

(a) Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure 

(b) Oklahoma Hospital Sued for Alleged HIPAA Violation Over Drowning

(c) Hospital Named In Complaint Over Privacy