Cleveland HIPAA Violation Lawyer
Privacy lawyers have been waiting for the Ohio Supreme Court’s decision in Rolston v. Menorah Park to see where privacy claims stand in the State of Ohio. The decision, which was largely favorable to patients, was published in December, 2020.
The central issue in Rolston was whether the HIPAA Privacy Law, enacted in 1996, superseded Ohio’s common-law claim for breach of the right to privacy. The Health Insurance Portability and Accountability Act (HIPAA) sets forth standards for protecting the privacy of patient’s health care information. However, the statute does not include a private right of action. In other words, you cannot sue for a HIPAA violation. However, prior to the enactment of the HIPAA Privacy Law, the Ohio Supreme Court recognized a common-law right of privacy which, when breached, gives rise to a right to sue for money damages. “Common law” refers to judge-made law, as opposed to statutory law which is created by the legislature.
In Rolston, the Ohio Supreme Court explored the application of the federal preemption doctrine. Preemption occurs when a federal law broadly regulates a legal area in such a way that contrary state laws are deemed to be superseded and voided by the federal law. However, the HIPAA law specifically states that it creates a minimum standard for protection of patients’ confidential health information. The law further states that state laws may add to or supplement the HIPAA law, but may not create standards that contradict HIPAA’s specific regulations or weaken the effect of those regulations. States can add to, but may subtract from, the federal law. In Rolston, the court held that Ohio’s common law right to sue adds to but does not subtract from HIPAA regulations.
As a privacy lawyer, I was concerned that the Ohio Supreme Court, which tends to protect the business, insurance, and hospital lobbies to the detriment of consumers and patients, was going to hold that the HIPAA law preempts Ohio’s common-law invasion of privacy claim in the health care setting.
In holding that the HIPAA law does not preempt Ohio common law claim for breach of the right of privacy in the health care setting, the Supreme Court preserved patients’ right to sue hospitals and health care workers for HIPAA violations. That was good news. But the decision contained more good news. Specifically, in making its decision, the Ohio Supreme Court looked to HIPAA regulations for guidance in deciding whether an invasion of privacy occurred. HIPAA regulations contain specific standards for how hospitals, nursing homes, and health care workers must protect patients’ personal information, as well as standards for when personal information can be disclosed.
The Rolston case arose out of a billing dispute between a nursing home, Menorah Park, and its patient. The patient was allegedly indebted to Menorah Park for an unpaid bill for services. In an effort to collect on the bill, Menorah Park forwarded a copy of the bill, which contained information about services rendered by Menorah Park, to its attorney. Its attorney, in turn, filed a copy of the bill along with the lawsuit seeking to recover for the bill. The patient countersued arguing that the disclosure of her protected health-care information in the lawsuit violated HIPAA regulations and breached her right of privacy.
The Ohio Supreme Court looked to the HIPAA regulations for guidance in determining whether the patient’s right of privacy was violated. The court held that HIPAA regulations permit healthcare providers to disclose sufficient information to document the basis for their collection efforts, so long as that information is narrowly tailored. The court held that it was appropriate for the health care provider to disclose the date of service, the billing code, the type of service, and the amount billed. Ultimately, the Supreme Court ruled against the patient in Rolston, holding that Menorah Park’s actions fell within the scope of the HIPAA regulations. Though the decision went against the patient, the decision will be helpful to other patients in the future.
For example, HIPAA regulations require hospitals to train their employees about the need to maintain the confidentiality of patients protected health information. In addition, HIPAA regulations require hospitals to have physical and technical safeguards in place to prevent employees from accessing patient information when there is no legitimate business reason for doing so. We are currently in suit against the Cleveland Clinic in a breach of privacy case. During litigation, we confirmed that the Clinic permits access to all patient records by any employee who obtains access credentials to their electronic medical record system, Epic. Thus, any doctor, nurse, or clerical staff may access the records of any patient at the Main Campus or any of the multiple satellite facilities operated by the Cleveland Clinic. We believe this is a violation of the specific HIPAA regulations that require physical and technical safeguards to prevent unfettered access to patient records. The Clinic system is the modern-day equivalent of leaving patient records on the break room table for any employee to peruse.
In the course of our investigation, we also have learned that the Cleveland Clinic is aware of many instances where its employees snooped into patient records for their own gratification, i.e., without authorization and without a legitimate business or medical reason for doing so. It is clear that training alone does not prevent violation of their patients’ privacy. Additional safeguards are needed, such a two-factor authentication (e.g., date of birth and social security number) or a unique identification number or password.
When a patient’s privacy is violated, in this way, not only does their personal health history become available to the snooping employee, but sensitive financial information can be accessed as well. This creates the potential for identity theft. The breach of trust that goes along with an invasion of privacy in the health care setting disincentivizes patients from being open and honest with their physicians and nurse practitioners, which has potentially life-threatening ramifications. Finally, the worker who snoops into a patient’s records can weaponize sensitive information against the patient. We have seen examples where a worker used sensitive confidential information to gain an advantage over a romantic rival, to keep tabs on an estranged family member or even as a basis for refusing to pay for work performed by the patient. Sensitive health information can lead to tremendous turmoil, such as firing, job loss or family or marital discord.
How do you know if a Cleveland Clinic employee or the employee of another hospital has snooped in your medical record? All electronic medical records contain a log of each person who has accessed the medical record. This log, called the audit trail, shows the identity of the individual who obtained access, the date of access and the portions of the medical record that were accessed. The HIPAA regulations give you the right to access your complete medical record, including the audit trail. So, you or your privacy lawyer can readily conduct an independent investigation. In addition, HIPAA regulations require hospitals to ensure compliance with HIPAA laws. Using the example of the Cleveland Clinic, the Clinic’s Compliance Department will conduct an investigation into complaints of HIPAA violations. Based on past experience, this investigation involves a review of the audit trail as well as an interview of the employee who is suspected of having accessed the patient’s medical record without a legitimate business reason for doing so and without the patient’s authorization. The Clinic’s Compliance Department will then issue a letter to the patient indicating whether their HIPAA rights were violated.
Note that under Ohio law, you have 4 years from the date of unauthorized access or disclosure of your medical record in which to file a lawsuit alleging breach of privacy. If you fail to file a lawsuit within this statute of limitations, you will be time-barred from recovering compensation for the violation of your HIPAA rights. Since you may not know the precise date on which a hospital employee accessed your medical records, you should start your investigation as soon as possible after suspecting that unlawful access has been obtained. As a privacy lawyer, we are available for a free, no-obligation consultation if you have questions about your HIPAA rights.