Although Americans may live in dread about large-scale data breaches by big corporations, instances in which health care personnel inappropriately peek and tell information from patients’ private medical records can be equally daunting and destructive, a fine, recent journalistic dissection discloses. As ProPublica reporter Charles Ornstein also finds, it may take lawsuits and the civil justice system to help victims of such wrongful disclosures, not a vaunted federal act aimed at protecting the confidentiality of patients’ medical information.
HIPAA, aka the Health Insurance Portability and Accountability Act of 1996, and the agency charged with enforcing that law — the Department of Health and Human Services’ Office for Civil Rights — too often turn out to be paper tigers in dealing with their legal duty to deal with 30,000 complaints lodged annually by patients concerned with privacy breaches, many of them “heartbreaking” one-off situations, ProPublica says. Regulators prefer to negotiate with institutions accused of such small breaches and to get them to look at procedural flaws and to promise to fix them.
That’s little help, however, to the aggrieved that Ornstein tracked, including a man whose HIV status was wrongly disclosed in a piece of paper in a court filing. Or the Tampa woman whose prior pregnancy, birth, and surrender of a child to adoption was discovered and improperly disclosed to family members by her partner’s aunt, a nurse snooping in records. Or the Indiana mom with the human papillomavirus (HPV) that causes genital warts and can cause cancer; she suffered the indignity of disclosure of her condition via a social media posting by a med tech who knew her and worked at a hospital where the woman had been treated. Then, there’s the case of a New Jersey woman who accused a hospital of allowing one of its employees access to her son’s treatment record — the staffer told other’s that the 11-year-old boy had attempted suicide and he was mocked and bullied at his school, as a result.
In my newsletter, I’ve written about ways patients can try to protect the information in their medical records, especially as these get digitized and become the target for hackers. But let’s also be clear: HIPAA carries some powerful provisions to sanction nosy wrong-doers and the careless places where they work, including the possibility of significant fines against individual violators and institutions, ranging from $50,000 to $1.5 million — and, as well, the possibility of criminal prosecution. Health care snoops most certainly should know that, if caught, they likely will be fired and may lose professional licenses. And as Ornstein reports and I’ve underscored: judges and juries can impose sizable penalties in lawsuit awards on nosey-parkers who get caught. The ProPublica story describes multiple instances of verdicts in the hundreds of thousands and millions for privacy breaches. Now if only the bureaucrats would get out of their accommodating mindset.
