respect teamwork conversation scale security like value security-breach question delivery-truck dog accident folder slippery wheelchair Lifted Logic Web Design in Kansas City clock location phone play chevron-down chevron-left chevron-right chevron-up facebook checkbox checkbox-checked radio radio-selected instagram google plus pinterest twitter youtube send linkedin computer phone-call play-button quote-end quote-start pin call-answer envelope clock fax-machine right-arrow left-arrow mail-envelope-outlined

Kate Middleton’s Medical Records Accessed Without Authorization. What Are Your Rights in the United States?

This week, the Royal Family were at the center of a scandal involving the potential disclosure of Kate Middleton’s medical records from a London Clinic.  AP News reports this week indicated that Princess Kate’s medical records about her recent surgery and stay, which have been kept extremely private, were being accessed by an employee of the London Clinic who was not part of the Princess’ care team and who did not have a working need to view the records.    It is generally assumed, though not confirmed, that the employee was accessing the records for his or her own personal curiosity or gain.

Though this incident occurred in England, this type of disclosure occurs frequently in the United States.  While we are not all as famous as Princess Kate or the Royal Family, we have our own right to privacy of our medical information.  While London does not have United States laws protecting privacy, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Federal Trade Commission (FTC) Privacy Act, it does have laws which protect patient privacy, including the privacy of the Royal Family.

In the United States, the Department of Health and Human Services – Office of Civil Rights (OCR), has oversight and regulation of HIPAA.  For years, OCR has advised health care providers that the most common type of medical disclosure is one in which an employee of the health care provider accesses the medical information of a patient without proper authorization or a working need to do so.  Oftentimes the access is for curiosity or to find salacious or scandalous information.  Once in possession of the medical information, there is no limit to whom and when the information can and will be used.  Employees have been known to post information on social media, or to use the information to disparage the patient.  Once the information is out it is practically impossible to stop the spread of the information.

However, knowing that disclosures cannot always be prevented, HIPAA accounts for the incident of wrongful disclosure by requiring health care providers, once notified of a wrongful disclosure, to conduct a thorough investigation into the incident, to remediate its systems to ensure that another similar disclosure does not occur, to get the information back or to stop the spread of the information, and, most importantly, to mitigate the harm the disclosure caused to the patient.  Unfortunately, it is these post disclosure actions, which are required by HIPAA, that health care entities routinely fail to adequately perform.

Following a wrongful disclosure, a health care provider is required to report the incident to OCR.  Whether the disclosure involves one person or hundreds of people, the disclosure must be reported.  The reason for the report is that HIPAA empowers OCR to impose both civil and criminal penalties on the health care provider, depending on the severity of the breach.  When a disclosure occurs, health care providers are supremely motivated to avoid those penalties.  Unfortunately, a lesser motivation is to protect their patients and to mitigate the harm caused as a result of the disclosure.

For years, the legal and health care communities have wrongfully assumed that patients had no recourse for the wrongful disclosures of their medical information.  For the past ten years, the law firm of McShane & Brady has been successfully litigating these cases on behalf of patients in the Kansas City area. We have been able to recover millions of dollars for the harm suffered from a wrongful disclosure.  If you believe you have been a victim of a wrongful disclosure in or around the Kansas City area, or if you know someone who has, please contact the expert HIPAA violations attorneys at McShane & Brady for help.  You can reach us at 816-888-8010 or via our website.