Misguided Mistakes and Egregious Errors – Two HIPAA Case Studies

When it comes to HIPAA violations, there are, sadly, plenty of examples available to serve as cautionary tales. Some seem like innocent mistakes that just about anyone could make. Others are so egregious that those involved appear to be willfully inviting the wrath of regulators and malpractice attorneys. Unfortunately, some people assume that any post that does not include the patient’s name or photograph is a safe post. As we will see, that is a false and dangerous assumption. The following examples of HIPAA violations over the years offer valuable lessons for anyone dealing with patient privacy issues in the digital age.

Before and After

Because purely cosmetic procedures are not typically covered by health insurance, plastic surgery practices often need to market their services more aggressively than other providers. This often means posting patient “before and after” photos in order to showcase a surgeon’s results. Doing so can place the provider in the center of a digital minefield, where slip-ups can result in lawsuits and HIPAA violations. Mandi Stillwell, a San Francisco photographer, was stunned when a man she met on an online dating site informed her that his Google search of her name had turned up photographs of her bare breasts. Stillwell had undergone plastic surgery in Fresno and had agreed in writing to let Dr. Enraquita Lopez photograph her and use the images to market the practice. However, the agreement stipulated that if images of her results were used, Stillwell would remain unidentifiable. The photographs showed only her torso. Stillwell filed suit against Dr. Lopez. In court, Dr. Lopez’s lawyer explained that the doctor and her staff had made a mistake and accidentally placed identifiable photos of Stillwell on the Internet. The photos were removed as soon as the doctor was made aware of them. The jury found in favor of Stillwell, and she was awarded an $18,000 settlement. Of course, just because the doctor had the photos removed from the Internet does not mean they will not reappear. Any viewer with a computer could have copied them and could repost them at any time.

Even when a provider is confident that photos it has posted make it impossible to identify a patient, the digital world can prove them wrong. In one case, otherwise anonymous photos were posted on a practice’s website in such a way that clicking on the photos revealed their digital file names, which included the patients’ names. You must be aware of hidden or semi-hidden information in digital photos and other files and always make sure that all patient identifiers are removed.

To modify a line from Thomas Jefferson, the cost of patient privacy is eternal vigilance.

An Inside Job

An employee who unintentionally creates a HIPAA breach is bad enough, but a rogue employee who willfully creates them is every practice’s worst nightmare. Some employees can’t resist snooping in medical records; others go much further. Consider the case of a high-end plastic surgery practice located on Beverly Hill’s posh Rodeo Drive. A contract employee who started out as a driver and translator was soon given other duties, including data entry. Things went bad very quickly. Just six months after the employee started, the practice confronted her about missing funds. She quit but claimed she could not return her company phone because she had lost it. The practice was able to recover the phone when the ex-employee was caught trespassing at a facility that stored patient records. According to the office manager, the former employee had been surreptitiously photographing and videoing patients and procedures, patient records, and credit card numbers. It also appears the employee may have been responsible for a burglary at the practice, during which a large amount of data was downloaded to a hard drive and paper records were stolen. Some patients began receiving threatening and harassing phone calls and emails. As of this writing, the Los Angeles Sheriff’s Department is conducting an ongoing investigation.

Obviously, you should screen and background check employees carefully to help prevent “inside jobs.” And every employee should be thoroughly trained and know the boundaries that apply to their position. What’s more, you should be monitoring data access to ensure that no one is viewing, printing, or downloading any information that is beyond the scope of their duties. Doing so allows you to spot irregularities early on and deal with them in a timely manner.

Excerpt from Tweets, Likes, and Liabilities: Online and Electronic Risk to the Healthcare Professional by Michael Sacopulos and Susan Gay. Mike Sacopolus is also Co-host of the SoundPractice Podcast www.soundpracticepodcast.com