Misguided Mistakes and Egregious Errors – Two HIPAA Case Studies

By Michael J. Sacopulos, JD
July 4, 2019

When it comes to HIPAA violations, there are, sadly, plenty of examples available to serve as cautionary tales. Some seem like innocent mistakes that just about anyone could make. Others are so egregious that those involved appear to be willfully inviting the wrath of regulators and malpractice attorneys. Unfortunately, some people assume that any post that does not include the patient’s name or photograph is a safe post. As we will see, that is a false and dangerous assumption. The following examples of HIPAA violations over the years offer valuable lessons for anyone dealing with patient privacy issues in the digital age.

Before and After

Michael SacopulosBecause purely cosmetic procedures are not typically covered by health insurance, plastic surgery practices often need to market their services more aggressively than other providers. This often means posting patient “before and after” photos in order to showcase a surgeon’s results. Doing so can place the provider in the center of a digital minefield, where slip-ups can result in lawsuits and HIPAA violations. Mandi Stillwell, a San Francisco photographer, was stunned when a man she met on an online dating site informed her that his Google search of her name had turned up photographs of her bare breasts. Stillwell had undergone plastic surgery in Fresno and had agreed in writing to let Dr. Enraquita Lopez photograph her and use the images to market the practice. However, the agreement stipulated that if images of her results were used, Stillwell would remain unidentifiable. The photographs showed only her torso. Stillwell filed suit against Dr. Lopez. In court, Dr. Lopez’s lawyer explained that the doctor and her staff had made a mistake and accidentally placed identifiable photos of Stillwell on the Internet. The photos were removed as soon as the doctor was made aware of them. The jury found in favor of Stillwell, and she was awarded an $18,000 settlement. Of course, just because the doctor had the photos removed from the Internet does not mean they will not reappear. Any viewer with a computer could have copied them and could repost them at any time.

Even when a provider is confident that photos it has posted make it impossible to identify a patient, the digital world can prove them wrong. In one case, otherwise anonymous photos were posted on a practice’s website in such a way that clicking on the photos revealed their digital file names, which included the patients’ names. You must be aware of hidden or semi-hidden information in digital photos and other files and always make sure that all patient identifiers are removed.

To modify a line from Thomas Jefferson, the cost of patient privacy is eternal vigilance.

An Inside Job

An employee who unintentionally creates a HIPAA breach is bad enough, but a rogue employee who willfully creates them is every practice’s worst nightmare. Some employees can’t resist snooping in medical records; others go much further. Consider the case of a high-end plastic surgery practice located on Beverly Hill’s posh Rodeo Drive. A contract employee who started out as a driver and translator was soon given other duties, including data entry. Things went bad very quickly. Just six months after the employee started, the practice confronted her about missing funds. She quit but claimed she could not return her company phone because she had lost it. The practice was able to recover the phone when the ex-employee was caught trespassing at a facility that stored patient records. According to the office manager, the former employee had been surreptitiously photographing and videoing patients and procedures, patient records, and credit card numbers. It also appears the employee may have been responsible for a burglary at the practice, during which a large amount of data was downloaded to a hard drive and paper records were stolen. Some patients began receiving threatening and harassing phone calls and emails. As of this writing, the Los Angeles Sheriff’s Department is conducting an ongoing investigation.

Obviously, you should screen and background check employees carefully to help prevent “inside jobs.” And every employee should be thoroughly trained and know the boundaries that apply to their position. What’s more, you should be monitoring data access to ensure that no one is viewing, printing, or downloading any information that is beyond the scope of their duties. Doing so allows you to spot irregularities early on and deal with them in a timely manner.

Excerpt from Tweets, Likes, and Liabilities: Online and Electronic Risk to the Healthcare Professional by Michael Sacopulos and Susan Gay.  Mike Sacopolus is also Co-host of the SoundPractice Podcast www.soundpracticepodcast.com

Topics: Management

Are You Enabling a Toxic Culture Without Realizing It?
6 Steps Leaders Can Take To Get The Most Out of Feedback
Online Courses - Interdisciplinary Relationship Management

Popular Articles


About Physician Leadership News

Now more than ever, physicians are leaders in their organizations and communities.

The American Association for Physician Leadership maximizes and supports physician leadership through education, community, and influence. We promote thought leadership in health care through our Physician Leadership News website, bimonthly Physician Leadership Journal and other channels.

We focus on industry leadership issues such as patient care, finance, professional development, law, and technology. Association announcements and news of association events can be found.

Send us your feedback at news@physicianleaders.org.

Journal Submission Guidelines

AAPL's award-winning print publication, the Physician Leadership Journal, welcomes originally authored manuscripts for peer review that meet competency, formatting and preparation criteria. To review these guidelines and other information regarding submissions, click here.