And everyone snooping in on his medical records yet nothing is done. Privacy laws only apply 1st to all celebrities then maybe a few token middle class folks, then finally Doctors.

I hate to tell Hipaa, but the common people and doctors want the same enforcement of the law that is provided for celebrities!

This is infuriating!

Yes HIPAA applies to everyone regardless (doctors, nurses, celebrities, regular patients, homeless, etc. - lets not be melodramatic and make poor generalized claims). Where was the medical director or CEO - he or she could have quickly and efficiently put a stop to the issue. Also, the family should have gotten in touch with the privacy officer or the OCR and file a complaint. It sounds like the hospital needs to be encouraged to better understand and enforce the federal and state laws regarding patient privacy.

The field of infertility treatment is such a privacy-sensitive one that although I am on two medical school faculties, I do not allow regular rotations of residents to my practice as they would likely encounter the many faculty, residents, nurses and med students who come to me for care. Whenever we have a celebrity, we hold a meeting to discuss the serious implications of our staff even sharing with their closest family members the fact that that patient is being seen. We have to bring the patients through the back entrance or see them after hours. It is EXTREMELY difficult keeping a lid on this type of thing, but so far we have not known of any obvious leaks. For non-celebrity patients, we have had a few encounters of neighbors or church acquaintances running into each other in the waiting rooms. Sometimes, they will reluctantly say hi, but there have been times where they just deliberately ignore each other and then later tell me that they know the other patient and would ask to be scheduled at times not to coincide with the other patient. It never took a rigid regulation like HIPAA for us to have these policies in place.

This situation is very unfortunate. HIPAA enforcement in situations such as this are commonly left to the nurses who are taking care of the patient, which is unfair for the nurses and not often helpful for the patients or their families.

The hospital was required to provide a Notice of Privacy Practices to the patient at the time he was admitted, assuming he had not also been admitted previously (i.e., between April 2003 and now). It should have contained the process for him or his designees, in this case his family members, to file a privacy complaint with the hospital. Even if he was admitted emergently, the hospital’s requirement was to get the Notice to him as soon as it was medically practical for them to do so; they could also have provided the Notice to his family members.

The family should have immediately contacted the hospital’s HIPAA Privacy Officer (the hospital is required by statute to have one). If the Privacy Officer did not immediately ensure that the kibosh was put on what was going on, the family should have contacted senior staff (CEO, Sr VPs, etc.) and complained. Of course, they may not have known this if they were never provided with the Notice of Privacy Practices, or didn’t have the time to read it.

The Privacy Officer should have contacted the hospital’s HIPAA Security Officer (again, the hospital is required to have one), who should have immediately started utilizing whatever process the hospital has in place to track hospital system users, so that the snoopers could have been caught in the act and disciplined immediately.

The family have up to six months from the time of the privacy breaches to file an official complaint against the hospital with Health & Human Services, and as a HIPAA patient advocate I strongly encourage them to do so. The process is relatively quick and painless: http://www.hhs.gov/ocr/hipaa — the complaint form can be found on this page. I encourage the author of this blog to follow-up on this with the patient and/or his family. HHS has received 40,000+ privacy complaints since April, 2003, and yet has fined only ONE hospital in 5+ years. Hospitals such as this one will continue to allow patients’ privacy rights to be violated unless and until active complaints are received.

I also encourage the patient or his family members to contact the senior leadership of this hospital and let them know that the family will be filing a complaint with HHS. They should include in the letter their expectation that the hospital will take steps to stop this type of occurrence both with members of its workforce as well as all privileged providers who may or may not be staff members.

I am establishing a patient advocacy practice specifically to deal with HIPAA Privacy & Security issues — for exactly the reasons as stated in this blog — patients and their families do not know their rights regarding their privacy and the security of their healthcare information.

For example, would you go to see a physician if you knew he had a pre-existing medical condition that might affect your treatment or perhaps affect him during a surgical case?

Are you seriously suggesting that a physician has a right to hide the fact that he has a medical condition that might harm a patient during surgery?