Michael Hiltzik writes:
Of all the personal information that you might want to keep private, your medical records are the most important. That’s why federal and state laws carry stiff penalties, up to and including jail time, for healthcare providers who let such data loose into the wild.
So you should be aghast at how free and easy Prime Healthcare Services and two executives at Prime-owned Shasta Regional Medical Center have been with the medical chart of a patient named Darlene Courtois. They showed the entire chart to an editor of her hometown newspaper, and Prime’s corporate office divulged some of her medical examination results to me (though I didn’t ask for them). They didn’t have her permission for those disclosures, her daughter says.
Their justification is that Courtois implicitly waived her medical privacy by sharing a portion of her records with a different news organization. But that doesn’t wash. No matter what Courtois said or did, without her specific consent Shasta still doesn’t have the legal right to disclose her file on its own, say the experts I’ve talked to.
Read more on Los Angeles Times.
This situation might be a good one to include in HIPAA privacy training – either specifically or in the more general form of whether doctors or providers can defend themselves against public statements made by patients if they do not have the patient’s explicit consent to discuss their case. It’s not clear from the report whether the hospital executives were relaying their own understanding (or misunderstanding) of HIPAA or if they had consulted with lawyers and lawyers had advised them that they did not need consent. But based on the circumstances described in the report, if they are accurate, the executives could find themselves facing HIPAA violation charges on top of their other problems.
One of the biggest barriers for people like me (health information system researchers focusing on privacy and security) in understanding EHR/PHR/HIE functionality and how it differs across institutions is that it’s impossible for a provider to allow me to see how physicians use these tools without some disclosure of PHI. I’m not saying I need to be accommodated, but I wish there were an easier way to allow tinkering with real systems in a safe way. Of course, this case is beyond egregious and is a great example of a case that cries out for HIPAA civil enforcement. (right?)