Patient Files Lawsuit Against Hospital For Employee Allegedly Releasing Syphilis Diagnosis Later Posted On Facebook

By Darren Smith, Weekend Contributor

University of Cincinnati Medical Center logoA woman in Ohio claims a University of Cincinnati Medical Center employee provided her ex-boyfriend with a medical record indicating a diagnosis of Syphilis. The employee was later fired.

She states that she refused to inform her ex-boyfriend as to why she was a patient at the hospital, and in her lawsuit she alleges he then contacted an employee, who he was romantically involved, and she provided the record.

Allegedly the ex-boyfriend posted the medical record on a Facebook page that announced promiscuous women.

As a result, the hospital sacked the employee and referred the case to federal authorities. The Cincinnati Enquirer reports hospital CEO Lee Ann Liska Released a statement proclaiming:

[The University of Cincinnati Medical Center is] outraged that anyone might misuse a position with UC Health to attempt to embarrass or cause harm to another person. This is contrary to our ethic and the training we provide to our associates, and we took immediate action as a result.

Reportedly her attorney said his client is seeking damages in excess of twenty five thousand dollars.

If the allegations are proven this would be a clear violation of HIPAA and a quick settlement might be in the advantage of the UCMC.

By Darren Smith

Source: CBS News

The views expressed in this posting are the author’s alone and not those of the blog, the host, or other weekend bloggers. As an open forum, weekend bloggers post independently without pre-approval or review. Content and any displays or art are solely their decision and responsibility.

36 thoughts on “Patient Files Lawsuit Against Hospital For Employee Allegedly Releasing Syphilis Diagnosis Later Posted On Facebook

  1. Wherever there are confidential records there will ALWAYS be leaks. When the govt. tells you the NSA records are secure, THEY ARE LYING. Always remember that.

  2. I certainly don’t agree with an employee releasing records like this, but the HIPAA laws seem to cause a lot of problems. One of my employees this week was trying to get the vaccination history of her own children. They would not fax it to her, so she went down there, and then they would not give it to her because the doctor was not there to “sign off” on it. So to see the problems the law causes, and then a situation like this where even without the law, common sense would tell you not to release that information, well, it is troublesome.

  3. A friend of mine in the early 1970s was a social worker in East Saint Louis. He had some clients who came home from the hospital with twins. The couple said that the doctors named their kids. The names were Gonora and Siphylis. The kids were about three when the situation came up. The parents had been calling the kids by those names. The real names on the birth certificate will remain secret here. This goes to show that even parents can not be trusted to ascertain what is on their own kids’ records. I ran into the social worker lately and he is retired. He said that he ran into the couple lately as well and that one of the kids, now 40, goes by the nickname of Gonara.

  4. Problem with HIPPA is some offices don’t have a clue how to do it and go too far in either direction.

  5. It certainly is both reprehensible and a serious HIPAA violation to give such med rex to the ex-boyfriend in a format that could be posted on the web.

    But is there not some public health related duty to advise a person (the guy) that he has been exposed to a very serious venereal disease and needs to get carefully examined? Or at least a duty on the part of the hospital to at least ask the patient to notify him?

    Or did all those duties go up in smoke when HIPAA was enacted?

  6. Paul oncer again you write before knowing the facts. “HIPAA regulations became effective on April 14, 2001, and April 14, 2003 is the date on which hospitals must have been in compliance with the HIPAA privacy rule”
    Nothing to do with the ACA

  7. leej, You are absolutely correct about people who need to know the law being ignorant. But also, many record keepers use the law to make their lives easier by randomly saying, “I can’t give you that” and hanging up.

  8. leejcaroll wrote: “Paul once again you write before knowing the facts. … April 14, 2003 is the date on which hospitals must have been in compliance with the HIPAA privacy rule… Nothing to do with the ACA”

    You make it sound like the rule stopped in April 2003 and has nothing to do with Obamacare.

    I’m no expert on this, but I did find this kind of language on the web:

    “Obamacare legislation added a host of new federal insurance regulations onto HIPAA’s basic structure…”

    “A new rule – the HIPAA Omnibus Rule (the “New Rule”) – becomes effective September 23, 2013. Employers should reach out to their third-party administrators and health plan providers to confirm compliance with the New Rule.”

    It seems to me like Paul is not shooting without facts on his side.

  9. Wait a minute. Read that first paragraph again. Who was fired: the woman complaining, the medical center worker, or the ex-boyfriend?

    I don’t think the Plaintiff’s attorney is doing her any favors. He will get a quick $12 grand for himself within a week and probably even let them have a secret, sealed settlement so no other attorney or victim will find the case in the court Index.

  10. True Nick and Paul in fact, as one example someone wrote makes it easier to get info re kids vaccinations.
    Also the other rules make it clearer and involve EMR’s which were not in place in o3. Make business associates of covered
    entities directly liable for compliance
    with certain of the HIPAA Privacy and
    Security Rules’ requirements.
    • Strengthen the limitations on the
    use and disclosure of protected health
    information for marketing and
    fundraising purposes, and prohibit the
    sale of protected health information
    without individual authorization.
    • Expand individuals’ rights to
    receive electronic copies of their health
    information and to restrict disclosures
    to a health plan concerning treatment
    for which the individual has paid out of
    pocket in full.
    • Require modifications to, and
    redistribution of, a covered entity’s
    notice of privacy practices.
    • Modify the individual authorization
    and other requirements to facilitate
    research and disclosure of child
    immunization proof to schools, and to
    enable access to decedent information
    by family members or others.
    • Adopt the additional HITECH Act
    enhancements to the Enforcement Rule
    not previously adopted in the October
    30, 2009, interim final rule (referenced
    immediately below), such as the
    provisions addressing enforcement of
    noncompliance with the HIPAA Rules
    due to willful neglect.

    I guess protecting to whom your info can be sold is a bad thing?
    Expand ind’s rights to receive info is a bad thing? and so on.
    but yes if youre against Obama then it doesn’t matter what is good or betters a law, if it is dem or this prez it is pro forma bad.

  11. Legal question: if the hospital acted immediately to sack the employee who leaked, they still have a liability? How does a hospital protect itself against a rogue/irresponsible/stupid employee? And, the relationship of the plaintiff and ex is full of questions…as in, was the timing of their relationship such that she had any obligation to let him know she had an STD?

  12. iconoclast – I think there is a legal obligation to tell your partner if you are engaging is sex with them. Not sure if there is an obligation afterword. They seem to have broken up and it is possible that he gave it to her. In the olden days, if you got a STD you were morally obligated to tell the partners you knew might have been affected so they could be treated. I am not sure if there was a legal obligation.

  13. Let’s all say this together. There is no private cause of action under HIPAA. This may be a cause on action under Ohio state law which uses the HIPAA regs as a standard of care, but not under federal law.

  14. Arguably, the employer can’t be responsible for the criminal behavior of its employee, barring negligence or cover-up or something. (If a policeman beats up his wife, or a meter reader rapes a teenager, you can’t blame the employer.) That’s probably why the plaintiff’s attorney is asking so little, so that the hospital will decide quickly to avoid the bad publicity, a court case filing, trial attorney fees, and free health care for the aggrieved party.

    The mount of her claim is less than the cost of a appendectomy, isn’t it?

  15. I do not think an employer should be liable for their employees actions just because they have deep pockets. I understand the patient wants to turn her embarrassment into a lottery win by making sure everyone knows her diagnosis, but the hospital did not allow the actions, had no way of preventing them, and fired the employee. They did everything right.

    Such lawsuits will not result in reducing such actions by employees. In fact they could very well increase them..

    The same thing goes for so many lawsuits. All too often the amounts demanded are far in excess of damages and nearly all the time the person having to pay – the taxpayers – has nothing to do with the actions. Whether it is a Starbucks manager telling an applicant they don’t hire his kind of people, an airline employee strapping a marital aid to the outside of a suitcase, or a doctor who performed a cavity search without a warrant, the employer should not be liable UNLESS their actions allowed the illegal activity, or tried to cover it up, encouraged it, or something similar which would make them reasonably liable. Not simply because they have deep pockets

  16. oldfox,
    The “excess of $25,000” language may be the minimum for a law division case and not an indication of the actual amount the plaintiff may request in damages.

  17. “…HIPAA Privacy Rule, as currently interpreted and implemented, impedes research without protecting privacy as well as it should “Beyond the HIPAA Privacy Rule…
    “Criminal penalties for a person who knowingly violates HIPAA :

    $50,000 and a one year prison term”
    While HIPAA Rules are purported to protect individual privacy and was initiated in 1996 as an attempt to “standardize” electronic storage security, it has its background deeply in the channels of asymmetrical information and a complex history of its use and abuses. Anyone that works in the health delivery system knows that HIPAA protects the Hospital, the Doctors and most of all the Insurance Companies more than it protects privacy for a patient. HIPAA makes it very difficult for negligence to be exposed to families, or for inquiry into negligence by families on behalf of their family members (and forget about friends!). The routine appeal to HIPPA from Doctor’s offices is a rampant abuse of the rules these days to avoid providing information (let alone details) that may be legitimately needed to make informed decisions. In effect it is more of an barrier to entry than a barrier to exit.

  18. I personally know of a case where personal information was stored on a non-secure server by a health insurance company pre-Obamacare. The server was accessed by miscreants. The insurance company claimed that no data was lost, but the only way they could prove that would have been to release their logs (and even that is not proof because logs can be modified), which they did not. There was a class action suit. Eventually the OCR declared “no harm, no foul” and allowed the insurance company to merely give a one year’s subscription to a credit monitoring service (not to an identity theft service, mind you). The insurance company was not even required to cease and desist from storing data on non-secure servers.

    HIPAA is a joke. I don’t know why people here think the law has teeth.

  19. JD wrote: “I do not think an employer should be liable for their employees actions just because they have deep pockets.”

    The depth of pockets has nothing to do with it. Employees are the agents of the employer. Employers are responsible that employees act within the law. The medical records are property of the employer and the employer gave this employee access. Hopefully the employer made sure that the employee was properly trained about the legal ramifications of disclosing information. I am not a lawyer, but I am an employer, and I look at this similar to how a parent is responsible for the actions of their minor children.

  20. JD wrote: “I do not think an employer should be liable for their employees actions just because they have deep pockets.”

    So, you believe that only employers with minimal assets should be liable for their employees actions?

    No, what you are really saying is that employers should be invulnerable, no matter what their employees do. Let’s follow the logic there. Employers will have no motivation whatsoever to instruct their employees to secure patient data because they will already have their “Get out of jail free” card.” And we will have even more instances of employees acting like junior high school students.

  21. There is a master-servant relationship. In this case, I think if the hospital is smart, they are going to get out of it as fast as possible. If they litigate it, things are just going to get worse. The esteemed Mayo Clinic, which has a branch here, had a surgeon who used his cell phone to take a photo of a patient’s private parts because of the interesting (to him at least) tattooing. The doctor was fired, but the patient collected first from the doctor, but from the hospital as well.

  22. Thanks, rafflaw.

    Paul Schulte: that reminds me of the middle aged nurse who told the other nurses about the strange old salt in Room 9. She said he had his name tattooed on his penis. “Adam,” but there was a different name on his chart.

    A young attractive nurse said, “when I sponge-bathed him the other day the tattoo said “Amsterdam.”

Comments are closed.