Hospital Privacy HIPAA Violation Lawsuits
Patients who exchange information about their medical condition, treatment, and finances with their healthcare entities and providers have a reasonable expectation that this information will be kept private.
However, as the result of a recent major breach, hundreds of prominent hospitals and healthcare facilities violated their patients’ privacy by sharing personally identifiable information with third parties, including Facebook, in violation of state privacy laws. The affected facilities are located in the following states:
HIPAA violations related to social media are not new. In 2017, a 24-year-old North Carolina medical technologist posted about a patient killed in a car crash, using the words, “Should have worn her seatbelt…” Although the employee said the purpose of her post was to remind people to wear their seatbelts, the post went viral and was considered to have disclosed private health information (PHI) about the patient. As a result of the breach, the employee was fired.
Privacy Laws Hospitals Must Follow
HIPAA, (Health Insurance Portability and Accountability Act of 1996) not only gives patients rights over their health information, but also sets rules and limitations on who can look at and receive this information, whether it is electronic, written, or oral. Prior to HIPAA, no rules existed to protect patient health information, but with the emergence of new technologies to improve the quality and efficiency of patient care, the number and severity of potential security risks also increased.
Most health care providers, including doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists, must follow HIPAA’s privacy regulations, which apply to the following:
- Information doctors, nurses, and other health care providers put in a patient’s medical record.
- Conversations doctors have with nurses and others about a patient’s care or treatment.
- Patient information contained in a health insurer’s computer system.
- Billing information about patients.
- Most other health information kept about a patient by those who are required to follow the regulations.
Under HIPAA’s Privacy Rule, covered entities and their business associates must put safeguards in place that will protect patients’ private health information (PHI) to ensure that it is not used or disclosed improperly. These individuals and entities are required to reasonably limit the use and disclosure of this information to the minimum necessary to accomplish their intended purpose, and must implement procedures to limit those who can access and view patients’ protected health information. Training programs to instruct employees about how to protect patient health information must be implemented.
HIPAA also includes a Security Rule that establishes a national set of security standards for protecting electronic health information that is created, received used, or maintained by a covered entity, and requires the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.
What is Considered a Breach of HIPAA?
According to federal law, a breach of protected health information occurs through the “acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by HIPAA which poses a significant risk of financial, reputational, or other harm to the affected individual.”
Some common examples of social media HIPAA violations include:
- Posting information about a patient to unauthorized parties, even if the patient is not named.
- Sharing any form of PHI, including photos, without written consent from a patient.
- Assuming that posts are private or have been deleted when they are still visible to the public.
- Sharing of comments or pictures that happen to contain protected patient information (charts or files).
Social media violations of HIPAA are becoming increasingly common, and although difficult to predict or prevent, their consequences can be severe. They can include civil lawsuits, loss of medical license, employee termination, civil fines ranging from $100 to $1,500,000, and criminal penalties of as much as $250,000 in fines and up to 10 years in prison.
Has a Hospital Violated Your Privacy? Contact an Attorney Today
A privacy breach is a very serious matter. You may be able to recover damages by filing a lawsuit if you:
- Have a Facebook account.
- Your hospital or doctor’s office was one of the affected facilities.
- You have visited pages on the healthcare entity’s website and/or logged into a patient portal within the last two years.