On 26th September, Lori Stein attended Cotton-O’Neil Diabetes and Endocrinology Center in Topeka and met with an endocrinologist for an appointment. Lori Stein´s checkup was standard in order to monitor her diabetes, but during her consultation she inquired if she could have a home test glucometer. A nurse gave her a sample glucometer and some test strips and supplied her with two boxes.
When she got home she found a slip of paper between the boxes and started to read it thinking it was a print out of her consultation. The page contained information on her health conditions and listed her as suffering from severe obesity, which was wrong. She also noticed other diagnoses and treatments which she did not suffer from and when she read the page more closely she noticed the patient details written at the top of the page were not hers. She had been given the page by mistake.
The data at the top of the page included the patients name, address, medical diagnoses, treatment details and general data such as age, height, weight and allergies associated with the patient.
Since Lori had previously been a practicing psychotherapist she was knowledgeable of HIPAA regulations and realized that the nurse had breached Privacy and Security Rules. In the wrong hands the data could be used to fraudulently obtain benefits and services.
Lori was worried about the incident as she realized that if a simple error like this could be made with another patient, it was possible that her health information may have been released by accident. The next day she called the medical center to report the mistake and was told that the matter would be examined. She was also sent to Barbara Duncan, the chief privacy officer at Stormont-Vail HealthCare.
She arranged a meeting with Duncan where she was asked to return the document, although she refused to hand it over as she considered it to be the only proof of the HIPAA violation. Stein advised Duncan that harm could be done if the data got into the wrong hands, yet Duncan believed the breach to have been caused by “carelessness and laziness and advised Stein that “People get complacent about compliance.”
Stormont-Vail HealthCare Spokesperson, Nancy Burkhardt, subsequently confirmed that its workforce is committed to protecting the privacy of its patients and has been told of the importance of protecting patient data, including being given information on the new Rule.
Burkhardt remarked, “The importance of protecting patient privacy is communicated through articles published in our employee newsletters and in regular corporate compliance meetings. To ensure appropriate monitoring, prevention and detection, we have a HIPAA privacy officer, who is responsible for HIPAA privacy compliance.”
She confirmed that data violations and complaints are treated very seriously and all matters are examined internally and that action would be taken if an employee was found to have behaved in a negligent manner or had made a mistake that caused a HIPAA breach. Each case is treated on its own basis and could potentially result in the termination of an employee’s contract, although in other cases the provision of training may be a more appropriate measure.
Stein also issued a follow up letter to the facility to say that she would take action if her medical records were compromised and received a return letter from Anne M. Kindling, Manager of Risk Management at Stormont-Vail HealthCare. She told Stein that her case had been reviewed and confirmed that Steins medical records had been printed on one occasion but were sent for secure shredding after that.
She was told “Since we were able to retrieve all of the documents, I am confident that your records were not disclosed to any other individual and therefore there was no breach as to your own health information.” She was also told that her claim for damages was denied as the management believes its actions stopped her data from being exposed.
She was also advised that she would be sent a legal document for her to sign to confirm that she had not, and will not, disclose the data she had seen. Stein is now seeking legal guidance regarding making a claim for damages.
