Small-Scale Violations of Medical Privacy Often Cause the Most Harm

Shutterstock

This story was co-produced by ProPublica and NPR.

“PPL WORLD WIDE,” the Facebook post shouted, using text-speak for the word “people.” “FRANCES … IS HPV POSITIVE!”

The public missive from January 2014 gave Frances’ full name, along with the revelation that she had human papillomavirus, a sexually transmitted disease that can cause genital warts and cancer. It also included her date of birth and ended with a plea to friends: “PLZ HELP EXPOSE THIS HOE!”

This year, ProPublica has been chronicling how weaknesses in federal and state laws, as well as lax enforcement, have left patients vulnerable to damaging invasions of privacy.

Within hours, a friend told Frances that a former high school pal who lived near her in northwest Indiana had shared a secret that only her family and a former boyfriend knew, she later said.

“My heart fell to my stomach,” said Frances, a dental assistant in her late 20s who asked that her last name not be used. “I started crying immediately.”

The Facebook poster was a patient care technician at the local hospital where Frances was treated, but the two were no longer friends.

Frances complained to a nursing supervisor at the hospital, which sent her a letter of apology in March 2014. “Please know that we take these types of situations very seriously,” the letter said. “We did take action in accordance with our policies and procedures,” although it did not specify what had been done.

Under the federal law known as HIPAA, it’s illegal for health care providers to share patients’ treatment information without their permission. The Office for Civil Rights, the arm of the Department of Health and Human Services responsible for enforcing the law, receives more than 30,000 reports about privacy violations each year.

The bulk of the government’s enforcement — and the public’s attention — has focused on a small number of splashy cases in which hackers or thieves have accessed the health data of large groups of people. But the damage done in these mass breaches has been mostly hypothetical, with much information exposed, but little exploited.

As Frances discovered, it’s often little-noticed smaller-scale violations of medical privacy — the ones that affect only one or two people — that inflict the most harm.

Driven by personal animus, jealousy or a desire for retribution, small breaches involving sensitive health details are spurring disputes and legal battles across the country:

In Tampa, Florida, a nurse snooped in the medical records of her nephew’s partner, learned that she had delivered a baby and had put the child up for adoption. She gave a printout to another family member, and the secret was announced at a family funeral in 2013, the Tampa Bay Times reported. The niece complained to the hospital; the nurse admitted what she did, was fired and relinquished her Florida nursing license.

A New Jersey woman sued a local hospital this fall, alleging that one of its employees shared details about her 11-year-old son’s attempted suicide with people at his school. The boy was subsequently “bullied by his peers, called names and made fun of,” her lawsuit says.

And in South Carolina, prosecutors allege that lawyers were illegally given information from the state’s prescription drug monitoring program database to gain an edge in family court cases. A pharmacist and drug screener were indicted in August for conspiring to violate the rules governing the database; the pharmacist also was accused of disclosing data on prescriptions for controlled substances. The men have pleaded not guilty.

Even when small privacy violations have real consequences, the federal Office for Civil Rights rarely punishes health care providers for them. Instead, it typically settles for pledges to fix any problems and issues reminders of what the Health Insurance Portability and Accountability Act requires. It doesn’t even tell the public which health providers have reported small breaches — or how many.

Tami Matteson, a California high school teacher, complained to the agency in September 2013 after learning that her ex-husband’s new wife, who worked as a medical records clerk at the local hospital, had looked at her records more than a dozen times over three years. It turned out the worker also snooped in other people’s records, too.

But OCR decided not to sanction Northern Inyo Hospital after it terminated the clerk, sent privacy reminders to staff, increased its audits and instituted new policies. The hospital’s compliance officer declined to comment to ProPublica but said in a court filing that the incident may have caused patients to lose confidence in the rural hospital.

Even though the clerk lost her job and pleaded guilty to a misdemeanor criminal charge, and even though the hospital paid Matteson $25,000 to resolve her legal claim, she said she still can’t get over what happened. It has undermined her trust in doctors and the entire medical establishment, she said.

“HIPAA did nothing for me — not one thing,” Matteson said. “I no longer can go to the doctor and feel safe or comfortable.”

Asked about some of the privacy violations highlighted in this report, OCR Director Jocelyn Samuels called them “heartbreaking stories” and “the kinds of harm that HIPAA is intended to address.”

She insisted her agency isn’t afraid to pursue formal sanctions when they are warranted, but said its primary role is helping health providers to follow the law. “Our preference is always to promote voluntary compliance,” Samuels said.

For patients, Samuels’ agency is usually the only place they can seek vindication. HIPAA does not give people the right to sue for damages if their privacy is violated. Patients who seek legal redress must find another cause of action, which is easier in some states than others.

After being attacked on Facebook, Frances contacted Indianapolis lawyer Neal Eggeson. He had won jury verdicts for people whose medical information was improperly disclosed. Eggeson contacted the hospital and, without filing suit, secured a confidential settlement for Frances. (He asked that the facility not be named in this story.) Frances’ former friend no longer works there, she said.

Frances said she still hasn’t fully recovered. She sees a therapist and has a hard time trusting others.

“It’s hard to even still deal with it,” she said. “I’ll spend that extra gas money to go into another city to do grocery shopping or stuff like that just so I don’t have to see anybody from around the neighborhood.”

From insurance defense to privacy offense

Eggeson, a litigator, was defending insurance companies in car accident cases when a “friend of a friend of a friend” referred a young man to him. The man, who is HIV positive, had been sued over a $326 debt by the medical group that had been treating him. The group’s court filing gave the man’s name, home address, Social Security number and date of birth — and included a billing statement containing the phrase “Last Diagnosis: HIV.”

“His first concern was getting the court record sealed, more than anything else,” Eggeson said. “I don’t think he had any designs or visions beyond that.”

A jury awarded the man $1.25 million.

After that victory, Eggeson represented Abigail Hinchy, who alleged that a Walgreens pharmacist had snooped in her prescription records and shared the information with the father of Hinchy’s child (the man was dating and later married the pharmacist). Among the data shared: Hinchy had stopped taking birth control pills shortly before she became pregnant. A jury ordered Walgreens and the pharmacist to pay Hinchy $1.44 million.

A state appeals court upheld the award last year, saying trial evidence showed the man used Hinchy’s information to berate her for “getting pregnant on purpose” and extorted her “by threatening to release the details of her prescription usage to her family unless she abandoned her paternity lawsuit.” A copy of Walgreens’ check is framed on the wall of Eggeson’s home office, not far from his life-sized Batman costume and Star Wars lightsabers.

In 2008, Eggeson stopped handling insurance work altogether to devote himself to privacy cases.

“The vast majority of people who come through my door honestly are upset that no one has stepped up to the plate and said that what happened to you was wrong,” he said. “If the health care provider isn’t going to give them that satisfaction, then maybe a jury will.”

Among Eggeson’s current clients is a couple who claim that when their son was in an ATV accident this August, a hospital worker posted a comment on Facebook before the hospital had told them the teen had died. Panicked relatives who saw the post began calling his parents for updates, adding stress to an already wrenching time.

“It wouldn’t have changed the outcome,” said John Stuck, the boy’s father, “but just the feeling of what in the heck, what do they know that we don’t, that’s what freaked me out I think the most.”

Eggeson said he’s handling about a dozen cases. He turns away far more, mostly because he’s a solo practitioner with limited bandwidth and isn’t licensed in other states.

He shared a 17-page list of the calls and emails he’s received since mid-2013, including a sentence or two about each but no identifying information. Among them: A Massachusetts woman whose ex-sister-in-law accessed the patient’s infectious disease records, told relatives and posted it on Twitter, and a whistleblower at the U.S. Department of Veterans Affairs who contends her own medical records were accessed hundreds of times in retaliation.

When Eggeson files lawsuits, he argues that privacy breaches amount to medical malpractice.

“My argument has been that protecting the confidentiality of your protected health information, protecting your privacy, is part of what it is to be a doctor,” he said. “It’s part of your oath, it’s part of your duty.”

While Indiana courts have been receptive to such arguments, courts in Ohio, Minnesota and other states have ruled that health providers are not liable for the actions of workers who snoop in medical records outside the scope of their jobs.

A federal court in New York rejected a claim against the Guthrie Clinic, where a nurse accessed records of a man being treated for an STD after recognizing him as her sister-in-law’s boyfriend. While the man was awaiting treatment, the nurse sent at least six text messages to her sister-in-law informing her of his condition. The man, identified in court records as John Doe, complained to the clinic’s administrator and the nurse was fired, but a judge ruled the clinic couldn’t be held responsible for her actions.

“There is no evidence or allegation that [the nurse] took such steps on behalf of the clinic, or with the clinic’s authorization,” U.S. District Judge Michael Telesca wrote in 2012, dismissing the case. A federal appeals court upheld the ruling.

This summer, a Los Angeles jury ruled against a patient who sued UCLA and the Regents of the University of California after a romantic rival accessed and shared her medical records. The rival was a temporary worker in the office of a private practice physician affiliated with UCLA’s Santa Monica hospital. The doctor acknowledged improperly sharing his password and settled his part of the lawsuit.

UCLA maintained that it had taken adequate steps to protect patient privacy and that it should not be held liable for doctors and employees who break the rules. “We are pleased that the jury recognized that UCLA Health System’s policies concerning electronic medical records strike the right balance between protecting patient privacy and providing our patients with world-class medical care,” it said in a statement after the verdict. UCLA declined further comment.

J. Bernard Alexander III, the plaintiff’s lawyer, said UCLA’s privacy protections weren’t enough to catch violators unless patients complained. “If you aren’t checking to find out if there was a breach, you aren’t going to find it.”