Why is it so important to keep your medical records private? Your health care records include more than just information about your name, medications, and health conditions. Your personal health care information can include information you may not even be aware of. Modern medical records include information about your past, present, and even future outcomes.
Health care information can include information about your family history, sexual history, drug use, medications, medical diagnoses, genetic information, mental health, physically identifying features, and health prognosis. Your records can also include a lot of financial information that may be tempting to hackers, including Social Security numbers, insurance information, and financial records.
This information could expose you to financial exploitation, discrimination, and even blackmail. You should be in charge of who has access to your personal information. Unfortunately, hospitals, clinics, and doctors may not be as concerned about your personal health information. Failure to keep health information secure and private could be a violation of your health care privacy rights.
A medical malpractice lawsuit is generally used to recover damages for injuries caused by medical mistakes. However, a doctor, clinic, or hospital could also be liable for healthcare information privacy violations. A civil lawsuit may allow you to recover damages for harm caused by a security breach that violates your privacy rights. If you have questions about hospital security breaches and your rights, contact a law firm with a record of success.
Hospital Security Breaches
As more and more medical information moves to an all-digital format, medical records can become a more valuable resource for the healthcare industry and for hackers. According to the Department of Health and Human Services (HHS), “A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
There is a presumption that an impermissible use or disclosure is a breach, unless the covered entity demonstrates a low probability that the protected health information has been compromised. Determining the risk of compromise is based on several factors, including:
- “The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.”
When there has been a breach of protected health information, hospitals must provide notification of the breach to individuals involved, including patients whose health information may have been compromised. Notification may be by mail or e-mail, if the individual has agreed to receive electronic notices. If the hospital cannot locate the individual, they must generally provide notice to the media or on the home page of its website.
Why do hackers want your personal health information? There is a lot of financial harm that could be done with a copy of your medical records, and could be enough to permanently damage your credit. With all the relevant identifying information, hackers could:
- Take out loans in your name
- Open up credit cards in your name
- Access your payment information
- Use your identifying information for fraud
Violations of Privacy and Doctor-Patient Confidentiality
Doctors have an ethical duty to maintain patient privacy and confidentiality. Doctors also have a legal duty to maintain privacy as part of HIPAA protections. In general, a doctor must respect the rights of patients and safeguard patient confidence and privacy. A doctor’s duty of confidentiality generally extends forever, even after the patient no longer sees the doctor or even if the patient passes away. There are limited exceptions where a doctor can or must breach patient confidentiality, including:
- Evidence of violence or child abuse
- Information relating to public health
- Where the doctor’s treatment is at issue in a legal claim
There is good reason why a patient may not want a doctor to share information outside the doctor-patient relationship. There are social and societal pressures that could cause a patient to want to keep their personal health private, including issues related to sexual activity, chronic disease, alcohol or drug abuse, genetic information, and mental health. It should be up to the patient to decide who gets to know about their private information.
HIPAA Privacy Violations
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established national standards for health care transactions, identification, and protecting health information. HIPAA established privacy rules to protect the personal health information of patients, allow patient access, and limit who can access or share private health information.
Security breaches generally involve two major areas of HIPAA, including the privacy rules and security rules. According to the HHS, “the Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.”
The Privacy Rule and Security Rule applies to health plans, health care clearinghouses, and any health care provider who may transmit health information in electronic form. Protected health information includes individually identifiable health information that relates to physical or mental health or condition, health care provisions of the individual, and payment for health care.
As part of the Security Rule requirements, “covered entities” must put into place safeguards to secure individuals’ “electronic protected health information.” According to research published in the Journal of the American Medical Association (JAMA), theft by outsiders or unknown parties accounted for about one-third of protected health information disclosure. However, over 53% of protected health information breaches were internal and attributed to the health care entities’ own mistakes or neglect.
The HHS Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules, including monetary fines and penalties. At any given time, OCR is investigating hundreds of cases. Breach reports often involve possibly tens or hundreds of thousands of individuals. Types of security breaches include:
- Hacking/IT Incidents
- Loss of Records
- Unauthorized Access/Disclosure
- Theft of Equipment
- Improper Data Disposal
Penalties for each violation may depend on whether the violation was known, unintentional, or intentional. HIPAA has 4 categories of violations and penalty amounts available in each category, including:
- Did Not Know: Each Violation $100-$50,000
- Reasonable Cause: Each Violation $1,100-$50,000
- Willful Neglect – Corrected: Each Violation $10,000-$50,000
- Willful Neglect – Not Corrected: Each Violation $50,000
For example, in 2021, health insurer Excellus Health Plan, Inc. reached a settlement with the OCR to settle a potential privacy and security breach of HIPAA for $5.1 million. The health insurer reported cyber-attackers had accessed its information technology system, installed malware, and conducted reconnaissance activity. This security breach disclosed the protected health information of more than 9 million people, including name, address, date of birth, Social Security number, bank account information, health care information, and treatment information.
Is the Hospital Liable for Security Breaches?
Under HIPAA, a health care provider that transmits any information in an electronic form in connection with a transaction is a covered entity. This may include hospitals, academic medical centers, doctors, clinics, nursing homes, and pharmacies. A hospital is generally liable for any security breaches that release personal health care information.
Hospital liability could involve failure to take security precautions against outside attacks, failure to train employees about privacy policies, or failure to address privacy violations by employees. Even if an employee is responsible for negligence in causing harm, the hospital is generally liable under vicarious liability.
Hospital Liability for Employee Negligence
Employees are often at the front line of handling personal health care information, including gathering information, entering information into charges, and sending out billing information. Health care employees are generally aware of the importance of security and privacy, and often have lengthy training to keep them up to date on HIPAA requirements. However, employees may take short cuts, or let their curiosity get the better of them. Any mistakes made by employees who are not following regulations can put healthcare security at risk.
The history of vicarious liability for employee negligence goes back a very long time. When an employee negligently causes harm to another, where can the injury victim turn for compensation? The employee may not have enough money to pay for the damage caused. On the other hand, the employer benefitted from the work of the employee that caused the damage. The employer is often in a better position to compensate an injury victim for the negligence of their own employees.
In a vicarious liability claim for employee negligence, also known as respondeat superior, the injury victim generally has to show the negligent party was employed by the employer, and the negligent party was acting in the course and scope of their employment.
Why Are Privacy Violators Not Always Held Accountable?
Unfortunately, even with strict privacy and security requirements, hospitals and healthcare providers are not always held accountable for privacy violations. According to a ProPublica report, some health providers have been subject to hundreds of complaints for violating federal privacy laws. However, these violations may only result in private warnings and rarely include sanctions.
According to the report, from 2011 to 2014, the U.S. Department of Veterans Affairs had 220 complaints. CVS Health had 204 complaints, Walgreens had 183 complaints, and Kaiser Permanente had 146 complaints. Despite the highest number of privacy complaints, the VA was never sanctioned for privacy violations.
One problem with violations is that patients may never know their data was compromised. Even if the hospital does report a privacy violation, the notification may come through an email that the individual never opens. If the individual cannot be located, the rules may rely on them regularly visiting the hospital website to find out about a possible breach.
Damages in a Security Breach Claim
Another issue is that hospitals may be able to win their case if they can successfully show that there has been no harm as the result of a data breach. A hospital may claim the patient suffered no injuries or lost no money after a security breach compromises patient records. However, if a patient later discovers that someone made a fraudulent charge on a credit card used to pay a hospital bill, or there was a fraudulent name change attempt on a credit report, this could be the result of the data breach, resulting in damages.
This is why it is so important to talk to an experienced medical malpractice team before trying to take on major insurance companies, hospital administrations, and the healthcare industry. Damages in a security breach claim can include financial and emotional harm, including:
- Credit card fraud
- Identity theft
- Tax filing fraud
- Loss of property
- Disclosure of private medical information
- Blackmail
- Inability to work
- Damage to your reputation
- Emotional distress
- Mitigation damages
Do I Have a Medical Malpractice Claim After a Hospital Security Breach?
Medical malpractice cases can be very complicated and whether you have a case depends on the specific facts of your situation. If a medical worker or hospital breached their duty of care to you as a patient, which caused an injury or harm, you may have a claim for damages. Damages can include medical bills, lost wages, and pain and suffering.
With hospital security cases, the hospital may not be very open about what happened and how you might have been exposed. Asking the hospital if you could have been harmed after a medical error may get you nowhere. An experienced medical malpractice attorney can change the situation. Your attorney can get copies of records and require hospital officials to respond to questions about what really happened.
An experienced medical malpractice lawyer at Gilman & Bedigian can evaluate your medical malpractice case and help you understand your rights. Talk to experienced trial attorneys who can review your case, get an expert’s review, and help you understand your legal options to file a claim after a medical malpractice injury. Contact Gilman & Bedigian online or at 800-529-6162 for a free consultation.