Archives: snooping

New York Giants’ defensive end Jason Pierre-Paul suffered hand injuries while handling fireworks on July 4.  A screenshot of a page from his hospital records was tweeted by ESPN reporter Adam Schefter on July 8, resulting in a flurry of speculation over whether the disclosure may have violated HIPAA or other privacy laws.  In an article by  published today by LXBN, the Lexblog Network, our partners and frequent blog contributors Michael Kline and Elizabeth Litten are quoted extensively about the implications of the publication of these records by a media outlet, the health privacy rights of public figures and the effect, if any, of the NFL’s collective bargaining agreement on such disclosures.  The article is here: Did That ESPN Reporter’s Tweet Violate HIPAA?

As noted in Elizabeth’s comments, there is no “public figure exception” to HIPAA, and as we have noted before in this blog, celebrities’ records are frequently the subject of unauthorized snooping.

A critical question is how the ESPN reporter obtained the records, from whom and under what circumstances.  Although HIPAA does not directly regulate parties other than Covered Entities and their Business Associates, the law provides for criminal penalties for unauthorized use or disclosure of individually identifiable health information with the intent to sell, transfer, or use such information for commercial advantage, personal gain or malicious harm, including fines of up to $250,000, and imprisonment for up to ten years.  The Department of Justice has stated that “the liability of persons for conduct that may not be prosecuted directly under section 1320d-6 will be determined by principles of aiding and abetting liability and of conspiracy liability.”

Illicitly obtained medical records should be contrasted with health information that is released voluntarily by the individual patient.  For instance, in the Ebola infection incidents of October 2014, it appears that some information reported in the media may have been voluntarily disclosed by the affected individuals or their families.  Nevertheless, famous individuals, whether their fame arises out of their health condition or because of their prominence as athletes, entertainers or politicians, have the same health privacy rights as others and those rights should be safeguarded by covered entities and their business associates.

Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer’s medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the same hospital, was frustrated by the hospital administration’s delays in responding to her complaints and notified others including the FBI, her state senator and the American Civil Liberties Union before action was taken.

The Rutland, VT Herald reports that Kathy Tatro of Bennington, VT pleaded guilty to four counts of unauthorized access to computer records in a plea bargain that imposed probation and required her to serve 160 hours of community service, which will include talking to medical employees about the importance of privacy regarding patient records. The Bennington Banner reports that Ms. Tatro was given a 6-12 month suspended sentence, 2 years probation and a $2,000 fine.

This blog has noted other instances of snooping leading to serious consequences, including the case of a UCLA researcher sentenced to prison time for reading records of celebrities and co-workers, a Texas nurse fired for unauthorized access, a California hospital fined after employees accessed Michael Jackson’s records, a New York hospital that suspended employees for accessing George Clooney’s records after a motorcycle accident, and the termination of 16 hospital employees for accessing the records of an injured first-year resident.

The Vermont ACLU claims that this incident is “believed to be the most extensive breach of personal electronic medical records ever reported in Vermont.” The ACLU noted that the victim had explained in court how the system let her down.

“No investigation was begun nor any remedial action taken until she spoke up, complained, and dogged doctors, hospital administrators and trustees, state officials, federal officials, police officers, and the state’s attorney to do something. The privacy protections in place don’t work on their own; you have to fight to protect your rights.”

Based on reports, it appears this case was brought solely under state privacy laws, not HIPAA. It is not clear whether the Vermont Attorney General was involved, even though it seems that the victim alerted a variety of authorities.  

This case is yet another cautionary tale that should be considered by anyone in a position to access health records without a legitimate purpose, as well as by hospitals and other covered entities who should reevaluate the safeguards they have in place to track and prevent or at least discourage unauthorized access. 

A nurse has been fired by a Texas hospital after accessing information on patients for whom she had no clinical responsibility, according to the Mt. Pleasant, TX Daily Tribune. The hospital, Titus Regional Medical Center, reportedly discovered the unauthorized access in the course of an audit in November. The nurse admitted to looking at the records out of curiosity but insisted that no records had been further disclosed.

The hospital decided to notify 108 patients in a letter which warned them of a slight risk of identity theft. The hospital administrator indicated that the notices may not be required under HIPAA but were being sent out of an abundance of caution, and emphasized that there was no evidence any data was printed nor disclosed to any third parties. Although most records accessed did not contain social security numbers, affected patients were nevertheless advised to contact the three major credit bureaus, Equifax, Experian and TransUnion.

 

This incident is reminiscent of the 2011 UCLA breach which resulted in a prison term for the snooping employee and similar incidents involving other California hospitals. A common element in these breach incidents is that the health information was not sold, distributed or otherwise further disclosed by the snooping employees. However, after an investigation, federal health regulators determined that UCLA employees reviewed patients’ electronic medical records "repeatedly and without a permissible reason."   Ultimately, UCLA entered into a settlement agreement with federal health regulators, which among other things, socked UCLA with a fine of $865,000. 

 

These cases illustrate the seriousness of HIPAA’s still poorly-defined “minimum necessary” standard which, at the least, requires workers at covered entities and business associates to have a valid reason beyond mere curiosity before they access PHI. The ease with which employees can call up any record in a health system’s database can present an overpowering temptation, and it is incumbent on employers to educate their workforce about the need to resist the urge to snoop.