Sometimes HIPAA Violations Involve Technology, But Technology Is Not At Fault.

Our job as your trusted IT and Healthcare technology company is to help our clients comply with HIPAA regulations. We also strive to educate our clients and their employees on the importance of protecting patient privacy.

We do this by using examples of HIPAA violations to help our clients understand some of the concepts of HIPAA such as:

• What is protected health information (PHI)?
• What is a system auditing and system activity review?
• What is the consequence of a breach to a patient’s privacy?
• How can we prevent breaches from occurring?

The bottom line is that HIPAA compliance is driven by the fear of financial penalties.

When we speak with representatives of various organizations about HIPAA compliance, the topics of fines, audits and the cost of breaches usually dominates the conversation. It seems that a large majority of organizations are driven by the fear of HIPAA penalties, rather than the fear of breaching patients’ privacy.

While this might not be true for all organizations, unfortunately fear of fines drives many to start thinking about HIPAA compliance.

When a real-life privacy breach hits the headlines, it’s important that you take a step back and use the information as a lesson learned to prevent similar breaches from occurring at your organization.

This is the perfect example of an individual who has had their privacy breached:

A man, identified as John Doe, who was HIV-positive, was admitted to Advocate Sherman Hospital.  One of his neighbors, William Zagalak, looked up his medical record. Zagalak then told others that John Doe was HIV-positive. A lawsuit against Zagalak contends that, as a result of John Doe’s privacy breach, he was the target of ridicule and hate crimes, and was ostracized by his community.

The suit contends that William Zagalak, then a respiratory care specialist at Advocate Sherman Hospital in Elgin, looked up the man’s medical records without authorization, and shared that information with Zagalak’s wife, co-workers and neighbors. As a result, Zagalak no longer works at Sherman.

• Doe alleges that he believes Zagalak went through his medical records and learned of his medical condition.
• He then proceeded to share that information with others, including Doe’s neighbors.
• Doe says he contacted hospital administrators in the fall of 2013 about the incident.
• A letter, written in September 2013 by a Sherman Advocate privacy specialist confirmed that Doe’s medical account had been improperly accessed and, more specifically, that Zagalak had viewed Doe’s records without authorization for approximately two minutes on Jan. 20.
• The letter stated that Zagalak was no longer employed with the hospital.

According to a lawsuit filed May 9 in Kane County court, John Doe had “become a target for ridicule and hate crimes” and had been as been “ostracized by the community” because of the disclosure.

The Real Impact of Privacy Breaches

It’s stories like this that reveal the real impact of breaches to a patient’s privacy. These organizations were fined due to lost laptops with unprotected PHI. While the fines are disastrous, the real impact of these breaches to patient privacy is usually never known. Unfortunately it typically results in financial harm to a patient, or blackmail that damages their reputation.

Every organization that is responsible for handling patient information should take notice. By understanding the real impact of a breach to a patient’s privacy, we can prevent similar breaches from occurring. Policies must be put in place to prevent this type of privacy breach from ever occurring.