Records Snooping Alleged in Tragic Death of ToddlerLawsuit Alleges Hospital Cafeteria Workers Accessed Child's Records
A tragic accident involving the drowning of a young boy also turned into a privacy breach nightmare for the toddler's adoptive parents, a lawsuit filed against an Oklahoma county hospital alleges.
The complaint, filed by the child's adoptive parents, Gerl and Denise Russell, alleges that unauthorized employees of McAlester Regional Health Center violated HIPAA, breaching their son Keon's electronic health information on July 17, 2016, when the 2-year old was transported to the hospital's emergency department where he died after a swimming pool accident.
The Russells allege that a hospital worker inappropriately accessed Keon's electronic health records and notified the child's birth mother - who had allegedly consented to terminate her rights upon his adoption by the Russells in July 2015 - of the child's death.
"As a result of the aforementioned breach/violation, plaintiffs were forced to deal with [Keon's] biological mother during their time of grieving, specifically being subjected to extreme emotional distress during the funeral proceedings, as well as other incidents of emotional distress in dealing with the biological mother," the suit alleges.
Unauthorized Access Allegations
Attorney Mark Edwards, who is representing the Russells in the lawsuit, tells Information Security Media Group that while one McAlester employee is alleged to have contacted Keon's birth mother about the drowning, other hospital employees, including cafeteria workers, also allegedly inappropriately accessed the child's information - including labor and delivery department records.
Edwards alleges that McAlester's cafeteria workers were able to inappropriately access the hospital's EHR system through the credentials of one food service employee who was authorized to access patient information to check whether individuals had certain dietary restrictions or had diabetes and to confirm patient room numbers where meal were delivered.
A hospital food service employee who was authorized to access the EHR system was instructed to make those credentials - username and password - available to the other cafeteria workers by posting them on a sticky note on a computer, Edwards claims.
An audit of the day that Keon died shows that the authorized food service worker accessed the child's records multiple times, Edwards says. "However, she wasn't even on duty that day," indicating that other cafeteria workers had inappropriately used her credentials to access Keon Russell's health records, he contends.
Edwards also alleges that prior to the incident involving the Russells, "the only HIPAA training hospital workers received was watching a two- to three-minute video on HIPAA once a year, along with other training videos."
Grounds for Lawsuit
Edwards acknowledges that under HIPAA, individuals do not have the right for private legal action.
For alleged HIPAA violation cases, the Department of Health and Human Services Office for Civil Rights and state attorneys general are the only parties that can bring legal action.
The lawsuit, however, alleges the hospital was guilty of negligence because it failed to keep Keon Russell's information private "per the HIPAA law and [its] internal policies." It also alleges the hospital violated Oklahoma's medical records statutes and says the facility intentionally inflicted emotional distress.
The Russells are seeking $150,000 in damages.
A McAlester Regional Hospital spokesman declined to comment on the Russells' allegations, saying the hospital does not comment on ongoing litigation.
A jury trial is slated for January, Edwards says.
Lessons to Learn
While the Russells' lawsuit winds its way through court, some experts says other healthcare entities can learn from the tragic case.
"Healthcare organizations of all sizes must place a greater emphasis on protecting patient privacy as well as the information security of the electronic information systems that handle PHI. This can only be accomplished by finding the right balance of administrative policies, physical security protections and technological controls that effectively manage the risk to health information identified through an enterprisewide risk analysis," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"However, all of these efforts will fail without delivering robust training to address how each workforce member plays a role in protecting and respecting the privacy of the patients they serve as well as their role in preventing cybersecurity incidents."
Privacy attorney Iliana Peters of the law firm Polsinelli, who is a former HHS OCR official, notes that allegations in the Russells' case are similar to other cases that ended up in enforcement actions by OCR.
For instance, Peters notes that OCR entered into a $865,000 settlement in 2011 with the University of California at Los Angeles Health System to settle potential violations of the HIPAA privacy and security rules in a case involving unauthorized employees repeatedly looking at the electronic protected health information of numerous patients from 2005 to 2008. The OCR investigation began in 2009 after complaints were filed on behalf of two celebrity patients, alleging that employees at UCLAHS repeatedly viewed their e-PHI without permission (see UCLA Health System Fined).
Peters says the UCLA case served as a reminder that under HIPAA, covered entities must ensure that workforce members have role-based access to only the minimum PHI they need to do their jobs; entities must audit accesses to PHI; and employees who impermissibly access PHI must be sanctioned, Peters notes.
Record snooping cases have a common denominator, Holtzman says. "People who work in healthcare are naturally curious when illness or injury touches a co-worker, friend or neighbor. The purpose of having effective information privacy and security controls in place is to act as a circuit breaker to prevent or defeat the impulse to intrude on the intimate, sensitive information of individuals who are outside of their responsibility or for who they have no legitimate need to access this data."
The Russell case also appears to have similarities "to another incredibly sad case" in which OCR entered into a settlement agreement with New York Presbyterian Hospital in 2016, Peters notes. In that case, OCR reached a $2.2 million settlement with the hospital after determining it allowed a TV crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.
That case was based on a complaint by the son of a man whose death was recorded for the television show "NY Med" unbeknownst to his family, she says. "The New York Court of Appeals allowed certain claims to proceed under state law, while disallowing others," she adds.