Confidentiality

[HeavenSent]

I pre-registered for an outpatient procedure via internet.  The hospital replied via email to give me a confirmation number.  I had the option to click on a link to view the details of my registration, so I did.  All information I supplied them was there to see....so was 15 other peoples who have apparantly pre-registered in the last few days!  

It displayed what looked like a spreadsheet with each persons name, address, SS#, procedure being performed, and date and time of procedure.  I can click on the person's last name to go view the rest of the information such as home phone, email address, religion, church name address and phone #, summary of medical history, insurance details, employer's name address & phone#, emergency contact with thier name address and phone #, allergies, anesthesia preferences, doc's information, etc.

I called the hospital and got a huge run-around.  No one knew what I was talking about.   After being transferred for the 6th time, I was so mad I just hung up.

Do I have any legal recourse for such a breach of confidentiality?

Thanks.

[socrateaser]

>Do I have any legal recourse for such a breach of
>confidentiality?

Maybe, but first, you need to prove that your information was released to someone else. So far, you only have proof that someone else's information was released to you.

[DecentDad]

Hi,

At a previous employer, I helped manage development/design of web-based software for healthcare practitioners, so I got pretty familiar with HIPAA requirements/compliance when dealing with online communiques and transfers of information.

What you describe is a clear HIPAA violation.  Even if it were a link from your email to a webpage containing only your personal info (i.e., no subsequent login upon arriving to the webpage), it's arguably a HIPAA violation because anyone with access to your email would be able to click the link and see your info; hence, it's not a safe assumption that you're the only user of that email account.

I'm not an attorney, so if you're wondering about damages, I'm as ignorant as a chimp.

But, if you're just trying to get the hospital to knock it off and they're ignoring you, you can file a complaint with the federal HHS Office of Civil Rights (OCR) and outline what you just described.

The link on how to complain is at http://www.hhs.gov/ocr/privacyhowtofile.htm

:)

Hope you don't mind, Soc.

DD

[socrateaser]

Just realize that her facts don't actually prove that her info has been released to anyone else. I think that the case is pretty weak at the moment.

[Kitty C.]

It's still a HIPAA violation if SHE has had access to others medical/confidential information.  There are strict violations to healthcare organizations who do not comply, especially with electronic data.  They have to prove that this information cannot/will not get into the hands of those who do not have authorization to access it.  This is the violation that needs to be reported.  

[socrateaser]

>It's still a HIPAA violation if SHE has had access to others
>medical/confidential information.  There are strict violations
>to healthcare organizations who do not comply, especially with
>electronic data.  They have to prove that this information
>cannot/will not get into the hands of those who do not have
>authorization to access it.  This is the violation that needs
>to be reported.  

This may be true, but in order to have standing to sue, the Plaintiff/Petitioner must have some judiciable controversy that has a real effect on her and for which a court can provide a remedy. The OTHER people on the spreadsheet have standing to sue, because their info has been revealed to the poster. But as of this instant, the poster does not have standing to sue, because the poster's info has not been revealed to anyone other than herself.

I'm not saying that this shouldn't be reported, or that the government may not have a right to sue the hospital over the violation. However, this information release may be an accident, computer bug, the result of an attack by a hacker, etc., and it is highly doubtful that there's any money to be had, UNLESS the poster can show that her info was released to a reasonably large number of unintended persons.

[jilly]

If she's still got the e-mail, she has access to all those names and telephone numbers.  Why not just call everybody and tell them how she got their name and telephone number?  Ask them if they got the same e-mail and if they could see everyone elses personal information.  Get enough irate people calling the hosptial and/or filing a HIPPA complaint against the hospital should put an end to it...computer bug or not. :)

[socrateaser]

>If she's still got the e-mail, she has access to all those
>names and telephone numbers.  Why not just call everybody and
>tell them how she got their name and telephone number?  Ask
>them if they got the same e-mail and if they could see
>everyone elses personal information.  Get enough irate people
>calling the hosptial and/or filing a HIPPA complaint against
>the hospital should put an end to it...computer bug or not.
>:)

Can't argue with that.