Following the violation of the privacy of patients WakeMed Health and Hospitals has been ordered to pay a fine of $70,000 by a North Carolina Bankruptcy Court.
The violations happened when submitting proofs of claim to the bankruptcy court. Documents were filed electronically; however, they included the protected health information of debtors, containing names, Social Security numbers, bank account numbers, and dates of birth.
Under Bankruptcy Rule 9037, any proofs of claim filed in court filings must have sensitive information redacted before transmission. Social Security numbers, taxpayer identification numbers, and account numbers must have all but the last four digits of the numbers redacted. Dates of birth must also have the year of birth redacted. In addition to this, if the filings include details of minors only their initials must be included, not full names.
WakeMed Health and Hospitals did not redact this information, and further, a number of the proofs of claims also included protected health information. It was claimed this was a violation of the Health Insurance Portability and Accountability Act along with the hospital’s policy of privacy practices.
At the sanctions motions hearings, hospital staff argued that they had been given the required training on HIPAA regulations, but this did not include the filing of bankruptcy claims. They also outlined that the hospital also had no bankruptcy filing auditing system. Members of staff said they thought that the filing of proofs of claims also came under the definition of payment collections and that this was therefore not included in HIPAA.
While the court did not believe it had the jurisdiction to determine sanctions for HIPAA violations, it did have the power to award sanctions for violations of Bankruptcy Rule 9037.
The court ruled that the disclosure of private information of patients by WakeMed Health and Hospitals and the absence of training and supervision of staff amounted to negligence. The judge said, “An institution that participates in the bankruptcy process as frequently as WakeMed simply cannot ignore the requirements of the court; the Code and Rules are of equal importance to the requirements of HIPAA and other regulations that govern Wake Med’s business practices.”
The court ruled that WakeMed Health and Hospitals to pay punitive damages of $70,000 in addition to covering the legal fees of the lead consumers.
The legal action should serve as a warning to all hospitals that they must ensure compliance not only with HIPAA, but also with other statutes that are in place to protect the privacy of consumers.