Psych nurse gabs with TV news
In 2009, a Massachusetts man was charged with the murder of a college student at a café. He was found not guilty by reason of insanity, and was committed to a state psychiatric hospital for 60 years.
Eight years later, a nurse at this psychiatric hospital told the news that dangerous patients were playing violent video games such as Grand Theft Auto. The story made the TV news – with significant consequences. The man who was acquitted of murder charges in 2009 sued the hospital, claiming the nurse’s comments prevented his transfer to a building with lower security. He also claims the TV news story caused him distress and emotional pain and suffering and damaged his therapeutic progress.
Privacy breach leads to assault
A rape victim was treated at a Kansas City hospital, where she received a rape kit examination. Afterward, one of the hospital’s X-ray technicians allegedly used the patient’s medical information to warn the rapist that the victim is accusing him of rape. The victim has since filed a lawsuit against the hospital for wrongfully releasing her health information to the alleged rapist. According to the lawsuit, after she was released from the hospital, her alleged attacker harassed her with threats, texts, social media posts, and then attacked her again. The lawsuit asserts claims based on invasion of privacy, negligence, and fiduciary duty, and seeks financial and punitive damages.
HIPAA breaches ruin lives
Both of these examples show how bad things can get when healthcare employees share patient information in a way that goes beyond the bounds of HIPAA. These examples might seem extreme – and they are. Fortunately, they don’t happen every day. But they do happen. In these two cases, lives were harmed in ways that can’t be undone.
Most people who work in healthcare would never dream of doing something this hurtful. But do your employees truly understand the consequences of a HIPAA breach? Have you trained them to see the possible ripple effects of one improper disclosure of patient information? For example, what could happen if…
- A nurse looks up a co-worker who has been admitted to the hospital in the EHR to see if she will be coming to work the next day – just so the nurse would know if she would be needed to work a shift? What might the nurse see while she’s in the EHR?
- A nurse aide is new on the job and struggling to learn nursing documentation. He takes a picture of a medical record with his phone so he can study it at home. Who might else see that record in his house?
- An employee comes across a medical record entry that she finds unusual. She takes a picture and texts it to another employee, who would find the humor in the situation. Would the patient think this is funny? What if the text gets forwarded again, and again, and again?
HIPAA works best when people are trained to think about HIPAA all the time, not once a year during annual training. We can’t prepare employees for all potential HIPAA risks they might come across. But we can help them better identify HIPAA issues, and think through the consequences of going beyond HIPAA.