With the increase in electronic medical record-keeping, many people have expressed concern about the privacy of their medical information. But not all breaches of private medical information are accidental, or the result of misused technology. Sometimes private, potentially embarrassing, medical information is revealed by a person who has access to it for a legitimate reason, but abuses that access. What recourse do you have when a hospital violates your privacy, or a hospital employee reveals your personal information to others?
Under the federal law of the Health Insurance Portability and Accountability Act, better known as HIPAA, doctors and other health care providers cannot legally share patients' medical information without their permission. However, HIPAA does not create a right to file a medical malpractice case in the event of a breach.
Medical malpractice requires four things: a duty to the patient, a breach of that duty, an injury caused by the breach, and damages stemming from the injury. In at least some cases where a hospital employee or employee of a pharmacy or medical facility intentionally violated patient privacy, patients have claimed malpractice.
One such case is that of Sheila Harosky, an employee at a Pennsylvania hospital who was admitted to that hospital as a patient for hernia surgery. Harosky allowed fake intestines to be placed on her body by other hospital as a practical joke on her doctor. However, after the surgery and her return to work, Harosky learned from a coworker that a member of the operating room staff had taken pictures of her naked body while she was unconscious, and had distributed those photos to others in the hospital. Harosky said that while she had agreed to the practical joke, she had not consented to the photographs or their distribution. She and her attorney allege that a similar incident happened to at least one other patient, and sued the hospital, its CEO, and the doctor who performed the surgery for invasion of privacy and medical malpractice. The case is still pending at this writing.
In Florida, a woman who surrendered a newborn for adoption together with the child's father wanted to keep the pregnancy, birth, and adoption quiet. The couple agreed to do this, but a relative of the father, who had access to the Tampa hospital's computer system, was able to look up the woman's medical records years later from a computer outside of the hospital. She discovered the birth, made printouts of the information, and revealed the woman's medical secrets at a family funeral.
In an Indiana incident from 2014, a hospital worker disclosed a former friend's HPV infection on Facebook. While such incidents don't receive as much attention as large-scale and inadvertent releases of information, they often cause more distress on a personal level. In the matter of the woman from Indiana, intimate information was released, and commented on, by someone who knew her to others who knew her. She found herself doing her grocery shopping in another town so she wouldn't have to run into anyone she knew.
The Office of Civil Rights (OCR) is the arm of the Department of Health and Human Services tasked with enforcing HIPAA. Its focus tends to be on the larger-scale cases and there are limited consequences in these smaller cases that impact only one or a few people, however deeply. The agency is geared toward helping medical providers follow the law, though it does also issue formal sanctions when appropriate. These sanctions may not provide a resolution that meets the needs of the person who was injured.
Sometimes the best recourse you have if you have been injured by an intentional, malicious release of medical information has is to file a lawsuit for invasion of privacy and/or medical malpractice. Certainly the person who released the information without authorization should be reported to his or her employer and any licensing boards or agencies governing their profession. These measures may result in discipline or termination of the medical professional and possibly loss of professional license.
While this may provide some satisfaction to the person who was injured, it doesn't compensate them for their actual injuries, which may be extensive and include damage to their reputation as well as anxiety and depression. Though an individual committed the breach of medical privacy, a hospital may be liable for the employee's actions under some circumstances.
The law varies from state to state regarding what legal action a person can take against a worker who maliciously revealed medical information, or the organization for which that person worked. If you have suffered as a result of your medical records being disclosed without your permission in violation of law, speak to an experienced Oregon medical malpractice attorney. An ethical attorney can advise you of your legal options and the likelihood of success if you do file a lawsuit, and will help you evaluate whether taking legal action will bring you the peace of mind you deserve.
You may also be interested in: