Our job at HIPAA Secure Now! is to help our clients comply with HIPAA regulations. As part of that process we try to educate our clients and their employees on the importance of protecting patient privacy. We use examples of HIPAA violations to help clients understand some of the concepts of HIPAA such as; what is protected health information (PHI), what is system auditing and system activity review and most importantly what could be the outcome of a breach to a patient’s privacy and steps to prevent breaches from occurring.
Compliance driven by fear of financial penalties
When we talk to organizations about HIPAA compliance, the topics of HIPAA fines, audits and the cost of breaches usually dominate the conversation. It seems a large majority of organizations are driven by the fear of HIPAA penalties rather than the fear of breaching patients’ privacy. While that might not be true for all organizations, unfortunately fear of fines drive a lot of organizations to start thinking about HIPAA compliance.
When a real-life privacy breach hits the headlines, it is important that organizations take a step back and use the information as a case study to prevent similar breaches from occurring at their organization. Unfortunately there is a perfect example of the impact to an individual who has had their privacy breached.
Privacy breach of HIV-positive individual
A man, identified as John Doe, who was HIV-positive was admitted to Advocate Sherman Hospital where one of his neighbors, William Zagalak, looked up his medical records. Zagalak then told other neighbors that John Doe was HIV-positive. A lawsuit against Zagalak contents that the result of John Doe’s privacy breach was that Doe was the target of ridicule and hate crimes and has been ostracized by the community.
The suit contends that William Zagalak, then a respiratory care specialist at Advocate Sherman Hospital in Elgin, looked up the man’s medical records without authorization and shared that information with Zagalak’s wife, co-workers and neighbors. Zagalak no longer works at Sherman.
Doe alleges in the suit he believes Zagalak went through his medical records and learned of his medical condition. He then proceeded to share that information with others, including Doe’s neighbors, the suit states.
Doe says he contacted hospital administrators in the fall of 2013 about the incident.
A letter, written in September 2013 by a Sherman Advocate privacy specialist and contained in the suit, confirmed that Doe’s medical account had been improperly accessed — more specifically, that Zagalak had viewed Doe’s records without authorization for approximately two minutes on Jan. 20. The letter said Zagalak was no longer employed with the hospital.
According to a lawsuit filed May 9 in Kane County court, the patient — identified as John Doe — has “become a target for ridicule and hate crimes” and has been as been “ostracized by the community” because of the disclosure.
Real impact of privacy breaches
It is stories like this that show the real impact of breaches to a patient’s privacy. Headlines have been dominated lately with large fines against organizations that have lost laptops with unprotected PHI. While the fines are huge and the headlines grab people’s attention, the real impact of these breaches to patient privacy is usually never known. The impact might be financial harm to a patient or the information might be used to blackmail or damage a patient’s reputation.
This case should be discussed at every organization that is responsible for handling patient information. This includes covered entities and business associates. Understanding the real impact of a breach to a patient’s privacy will help prevent similar breaches from occurring. Education and procedures must be put in place to prevent this type of privacy breach from occurring.