By Darren Smith, Weekend Contributor
A woman in Ohio claims a University of Cincinnati Medical Center employee provided her ex-boyfriend with a medical record indicating a diagnosis of Syphilis. The employee was later fired.
She states that she refused to inform her ex-boyfriend as to why she was a patient at the hospital, and in her lawsuit she alleges he then contacted an employee, who he was romantically involved, and she provided the record.
Allegedly the ex-boyfriend posted the medical record on a Facebook page that announced promiscuous women.
As a result, the hospital sacked the employee and referred the case to federal authorities. The Cincinnati Enquirer reports hospital CEO Lee Ann Liska Released a statement proclaiming:
[The University of Cincinnati Medical Center is] outraged that anyone might misuse a position with UC Health to attempt to embarrass or cause harm to another person. This is contrary to our ethic and the training we provide to our associates, and we took immediate action as a result.
Reportedly her attorney said his client is seeking damages in excess of twenty five thousand dollars.
If the allegations are proven this would be a clear violation of HIPAA and a quick settlement might be in the advantage of the UCMC.
By Darren Smith
Source: CBS News
The views expressed in this posting are the author’s alone and not those of the blog, the host, or other weekend bloggers. As an open forum, weekend bloggers post independently without pre-approval or review. Content and any displays or art are solely their decision and responsibility.
Hippa, could provide adequate compensation.
Thanks, rafflaw.
Paul Schulte: that reminds me of the middle aged nurse who told the other nurses about the strange old salt in Room 9. She said he had his name tattooed on his penis. “Adam,” but there was a different name on his chart.
A young attractive nurse said, “when I sponge-bathed him the other day the tattoo said “Amsterdam.”
JD wrote: “I do not think an employer should be liable for their employees actions just because they have deep pockets.”
So, you believe that only employers with minimal assets should be liable for their employees actions?
No, what you are really saying is that employers should be invulnerable, no matter what their employees do. Let’s follow the logic there. Employers will have no motivation whatsoever to instruct their employees to secure patient data because they will already have their “Get out of jail free” card.” And we will have even more instances of employees acting like junior high school students.
There is a master-servant relationship. In this case, I think if the hospital is smart, they are going to get out of it as fast as possible. If they litigate it, things are just going to get worse. The esteemed Mayo Clinic, which has a branch here, had a surgeon who used his cell phone to take a photo of a patient’s private parts because of the interesting (to him at least) tattooing. The doctor was fired, but the patient collected first from the doctor, but from the hospital as well.
I personally know of a case where personal information was stored on a non-secure server by a health insurance company pre-Obamacare. The server was accessed by miscreants. The insurance company claimed that no data was lost, but the only way they could prove that would have been to release their logs (and even that is not proof because logs can be modified), which they did not. There was a class action suit. Eventually the OCR declared “no harm, no foul” and allowed the insurance company to merely give a one year’s subscription to a credit monitoring service (not to an identity theft service, mind you). The insurance company was not even required to cease and desist from storing data on non-secure servers.
HIPAA is a joke. I don’t know why people here think the law has teeth.
“…HIPAA Privacy Rule, as currently interpreted and implemented, impedes research without protecting privacy as well as it should http://www.ncbi.nlm.nih.gov/books/NBK9576/. “Beyond the HIPAA Privacy Rule…
also:
“Criminal penalties for a person who knowingly violates HIPAA :
$50,000 and a one year prison term”
http://hipaa.bsd.uchicago.edu/background.html
=====================================
While HIPAA Rules are purported to protect individual privacy and was initiated in 1996 as an attempt to “standardize” electronic storage security, it has its background deeply in the channels of asymmetrical information and a complex history of its use and abuses. Anyone that works in the health delivery system knows that HIPAA protects the Hospital, the Doctors and most of all the Insurance Companies more than it protects privacy for a patient. HIPAA makes it very difficult for negligence to be exposed to families, or for inquiry into negligence by families on behalf of their family members (and forget about friends!). The routine appeal to HIPPA from Doctor’s offices is a rampant abuse of the rules these days to avoid providing information (let alone details) that may be legitimately needed to make informed decisions. In effect it is more of an barrier to entry than a barrier to exit.
oldfox,
The “excess of $25,000” language may be the minimum for a law division case and not an indication of the actual amount the plaintiff may request in damages.
I do not think an employer should be liable for their employees actions just because they have deep pockets. I understand the patient wants to turn her embarrassment into a lottery win by making sure everyone knows her diagnosis, but the hospital did not allow the actions, had no way of preventing them, and fired the employee. They did everything right.
Such lawsuits will not result in reducing such actions by employees. In fact they could very well increase them..
The same thing goes for so many lawsuits. All too often the amounts demanded are far in excess of damages and nearly all the time the person having to pay – the taxpayers – has nothing to do with the actions. Whether it is a Starbucks manager telling an applicant they don’t hire his kind of people, an airline employee strapping a marital aid to the outside of a suitcase, or a doctor who performed a cavity search without a warrant, the employer should not be liable UNLESS their actions allowed the illegal activity, or tried to cover it up, encouraged it, or something similar which would make them reasonably liable. Not simply because they have deep pockets
JD wrote: “I do not think an employer should be liable for their employees actions just because they have deep pockets.”
The depth of pockets has nothing to do with it. Employees are the agents of the employer. Employers are responsible that employees act within the law. The medical records are property of the employer and the employer gave this employee access. Hopefully the employer made sure that the employee was properly trained about the legal ramifications of disclosing information. I am not a lawyer, but I am an employer, and I look at this similar to how a parent is responsible for the actions of their minor children.
Arguably, the employer can’t be responsible for the criminal behavior of its employee, barring negligence or cover-up or something. (If a policeman beats up his wife, or a meter reader rapes a teenager, you can’t blame the employer.) That’s probably why the plaintiff’s attorney is asking so little, so that the hospital will decide quickly to avoid the bad publicity, a court case filing, trial attorney fees, and free health care for the aggrieved party.
The mount of her claim is less than the cost of a appendectomy, isn’t it?
Dredd: Do you wear a skirt?