Health Care Providers Beware: It's Not Just Celebs Who Tempt Medical Record Snoopers
Medical record snooping, or unlawfully accessing patients' data simply for curiosity's sake, is just as illegal as massive data breaches in which millions of patients' sensitive health data are compromised, and can expose health care providers to civil liability under HIPAA and state law causes of action, health care data privacy experts told Corporate Counsel.
March 18, 2019 at 04:38 PM
4 minute read
A nurse's ex-boyfriend from high school just had an appointment with a psychiatrist in the health care facility where she works, and she wants to sneak a quick peek at his medical paperwork. And perhaps because it's so alluring to look at another's health records, it's happening a lot more than we think, health care data privacy experts say.
“It's not just when the VIPs or celebrities are involved,” said Neal Eggeson, a plaintiffs lawyer who focuses on privacy and Health Insurance Portability and Accountability Act violations. “I think a shocking percentage of us would do it without too much hesitation.”
But instances of so-called medical record snooping for curiosity's sake are just as illegal as, for example, massive data breaches in which millions of patients' sensitive health data are exposed, the experts add.
This conduct may recently have cost dozens of workers at Northwestern Memorial Hospital in Chicago their jobs after they allegedly improperly viewed the medical records of “Empire” star Jussie Smollett, who was treated at the emergency room after he claimed he was attacked by two men. One of the nurses has said the incident was a misunderstanding, that she—and likely many other of the fired employees—simply scrolled past Smollett's records when looking for another patient's information.
When asked about the incident, a hospital spokesperson said in an email that company policy prevented him from commenting on the employment status of any employee.
HIPAA provides that a health care provider may access or use a patient's medical records only for treatment, health care operations or payment, meaning that incidents of unlawful snooping expose the provider to civil liability—and the possibility of large fines—under HIPAA, Eggeson said, adding that state law also may govern in some jurisdictions.
Given that HIPAA does not allow a private cause of action, Eggeson said “one has to come up with more creative ways to sue for a HIPAA violation,” often a state law cause of action such as medical malpractice or breach of a professional duty.
“If this is my health care provider, then a standard of care is set for protecting my health care and my confidentiality,” he said. “Of course then hospitals will turn around and say we have all sorts of policies [prohibiting this behavior] in place.”
But best practices to help health care providers avoid liability for unauthorized snooping by employees should go beyond just the creation of policies, said Helen Oscislawski, founder of health care law firm Oscislawski LLC.
If a health care facility is working with a technology vendor on its electronic records system, for example, it should ask if there are options such as a pop-up window that requires the individual to attest to the fact that he or she is treating the patient and thus is authorized to have access to the records before granting access, Oscislawski said.
She added policies around this issue must make clear what the employer's expectations are and what it is prepared to do in the case of a violation, noting posters and other visual aids can provide reminders of these expectations.
Training also must make employees “very keenly aware” of the repercussions for this behavior, Oscislawski said.
Finally, she added, expectations and policies must be carried through by way of sanctions and appropriate enforcement.
“There is a compliance piece that puts the hospital on the hook, and failure to fall short of reasonable and appropriate safeguards and best practices on that would open [providers] up to potential HIPAA enforcement,” she said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllHealth Care Giants Sue FTC, Allege Lina Khan Using Loaded Process to Vilify Pharmacy Benefit Managers
3 minute readHigh-Flying Genetics Testing Firm GeneDx Hires Ex-Zoetis GC as Legal Chief
2 minute readAs AI Transforms Drug Development, FDA Is Scrambling to Figure Out Guardrails
5 minute readTrending Stories
- 1Trump and Latin America: Lawyers Brace for US's Hardline Approach to Region
- 2Weil Advances 18 to Partner, Largest Class Since 2021
- 3People and Purpose: AbbVie's GC on Leading With Impact and Inspiring Change
- 4Beef Between Two South Florida Law Firms Deepens With Suit Over Defamation
- 5Judge Skips Over Sanctions in Talc Bankruptcy: 'That’s A No'
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250