North Carolina Hospital Ordered to Pay Damages for Breaching Patients’ Privacy
WakeMed Health and Hospitals in Raleigh, North Carolina, was ordered by a federal bankruptcy court to notify thousands of patients of a breach of protected health information (PHI), the Raleigh News and Observer reported September 19.
The court also ordered WakeMed to pay a $70,000 fine and offer affected individuals one year of free credit monitoring.
Between December 2007 and December 2015, WakeMed disclosed the PHI of some former patients in claims it filed in bankruptcy courts to collect unpaid medical bills. PHI released in the claims included:
- Addresses
- Dates of birth
- Medical information
- Names
- Social Security numbers
The breach first came to light in December 2015, when Cort Walker, an attorney at Sasser Law Firm in Cary, North Carolina, reviewed documents WakeMed filed against his clients to collect debts, WRAL reported. Walker found 158 records that included personally identifying information in violation of the federal bankruptcy code. According to the federal bankruptcy code, only the last four digits of an individual’s Social Security number and the year of his or her birth can be included in claims filings.
The WakeMed employee responsible for filing most of the organization’s bankruptcy claims testified that she was not trained on the organization’s policies and had no supervision. The extent of the organization’s negligence was specifically cited as a reason for the fine by the presiding judge, Stephani Humrickhouse, who said a large organization that routinely participates in bankruptcy proceedings should know better and its lack of attention to basic privacy laws was troubling.
It's not clear whether the Office for Civil Rights will conduct its own investigation or take action against WakeMed. The breach is likely an impermissible disclosure under HIPAA because the court specifically stated the personal information disclosed was not necessary to demonstrate WakeMed’s claims, says David Holtzman, JD, CIPP, vice president of compliance for CynergisTek in Austin, Texas. Covered entities and business associates are permitted to disclose limited PHI when they take legal action to collect payment for healthcare treatment or recovery of benefits paid by an insurer. However, the PHI disclosed must be limited to the minimum necessary and other steps should be taken to restrict access, he adds.
“If a document contains sensitive information or PHI is being disclosed, a protective order should be requested from the court to protect the public disclosure of treatment information or confidential financial information that could create the risk of financial harm or identity theft,” he says.
It appears that WakeMed did not initially request a protective order. In December 2015, WRAL reported that it was able to gain access to the claims WakeMed filed with the court and found the records included documents labeled as confidential medical information. Early this year, the organization requested that the court seal the documents.
Walker filed a civil suit against WakeMed on behalf of his clients in December 2015. Two of the plaintiffs were awarded damages of more than $10,000 each. A third plaintiff filed a separate suit this month.