$190M Lawsuit Over Potential HIPAA Privacy Violations Settled by Johns Hopkins Health System

A civil action lawsuit arising from HIPAA violations caused by a physician at the Johns Hopkins Health System has been settled for a $190 million.

The settlement arose due to a HIPAA Privacy Rule violation caused by an obstetrician and gynecologist who had used a concealed camera to take photographs and videos of his patients during examinations.

The physician used a pen-like device to take 140 inappropriate pictures and approximately 1,200 videos of his patients, according to the findings of a review into professional misconduct.

Dr. Nikita Levy, M.D., had been employed at the hospital for more than 20 years, but in early 2013 another hospital staff member alerted management about a device that Levy was seen wearing around his neck during patient examinations. While the device looked like a pen, the member of staff believed that it was actually a camera.

The matter was made known to hospital’s Information Security Department and Levy was interviewed in his office by security staff. They found a number of devices which they believed to be hidden cameras and they asked the physician to hand over all of these devices, which he did.

An review of into the matter was begun, but a few days later Levy committed suicide. Law enforcement was notified and a search of the physician’s home was complete where they found a number of images and videos of the bodies of his patients, most of which were unidentifiable. The material was located on a multiple servers in the physician’s home, although according to a representative of Johns Hopkins, “Thankfully, law enforcement found no indication that any images were ever shared.”

Information Security Group was advisedd by Johns Hopkins that action has been taken to enhance privacy standards at the hospital since the physician’s actions were uncovered. The spokesperson said “We have implemented numerous steps to educate, inform and empower our staff to identify and alert us if they have any concerns. We also conducted a comprehensive initial inspection of our facilities and continue to conduct random inspections.”

A release on the hospital website said, “We have come to an agreement that the plaintiffs’ attorneys and Johns Hopkins Health System believe is fair and properly balances the concerns of thousands of plaintiffs with obligations the Health System has to provide ongoing and superior care to the community. It is our hope that this settlement – and findings by law enforcement that images were not shared – helps those affected achieve a measure of closure.”

The settlement covers “more than 7,000 unique registrants,” and according to the hospital, many of these were underage. As per the HIPAA breach notification rules, the hospital issued letters to all concerned alerting them of an invasion of their privacy and posted an official notice to the media, although it is not clear whether the matter was reported to the OCR or if the hospital considers this to be a violation of HIPAA or just a violation of patient privacy.

Under HIPAA regulations, personally identifiable material, including physical records, electronic medical records and personal identifiers are classed as PHI, which includes images and photos. These are classified as PHI if a patient can be recognized from the images. It could be claimed that even if the patients’ faces were not on the videos or images, they may still have been identifiable, and it is therefore possible that HIPAA laws have been breached.

What is not obvious is whether it is reasonable to expect the hospital to have taken action to avoid the incident occurring. Healthcare providers can certainly put in pace safeguards to prevent staff from violating HIPAA, such as providing training and advising the staff that it is not permissible to capture photographs of patients – for non-medical reasons – or to take PHI for personal use. Whether this would have stopped the doctor from taking the photographs will remain unknown.