#1: Neal Eggeson, Paintiff Attorney
Topic: Discussion of his $1.25m award won against physician group that disclosed his client's HIV status
Key points:
- Disclosure was made to a collection agency for payment of medical bills.
- Collection agency included (unneccesary) information in a legal filing that (in theory) could be obtained as public information.
- Unusually large damage award was based upon a theory that his client would be unable to continue living within the community and restitution would enable him to move to a different community.
- HIPAA was not at issue in the case.
- Case seems to raise the bar of "harm"
#2: Greg Zoeller, Indiana’s Attorney General
Topic: The State’s Position on the Security of Consumer/Patient Information.
- Timely disclosure of breaches appears to be the primary concern.
- "Without unreasonable delay" is a sliding scale based upon the facts and issues like the size of the organization involved, but 30 days seems to be a threshold.
- Prosecutions (including the recent one against wellpoint) under the Indiana Security Breach notification act. Whether the Indiana A.G. will pursue private cause of action suits is unclear.
- Recommended calling the A.G. office to discuss breaches ASAP and even before all the facts of the case may be known. "I promise you that it will never be to your disadvantage to call us sooner rather than later."
- A primary concern with respect to providers appears to be coding fraud.
#3: Dr. Alan Stewart & Good Samaritan Hospital
Topic: Share his personal experience of a privacy breach and subsequent investigation by the Office of Civil Rights.
- Had a sensitive medical conversation with a patient in a semi-public forum (cafeteria area of a rehab clinic)
- IMO, physician took appropriate subsequent steps to appologize and change his clinical processes.
- Patient filed a complaint with the state board of health and federal office of civil rights.
- Subsequent investigation of the hospital by board of health (no jurisidiction for privacy and no punitive action) by OCR.
- OCR inquiry came nearly 2 years after the event.
- Interaction with OCR was that they requested copies of policies and documentation, recommended policy changes and recommended written corrective action (i.e. letter in medical staff file).
- Raises interesting questions about whether and how physicians are trained in HIPAA privacy and security matters. They are often NOT employees of the healthcare institution and do not go through annual training like other workforce members.
- Dr. Stewart is to be commended for sharing his experiences openly with all of us so we can learn more.