Unauthorized file access: How to avoid lawsuits

Implement safeguards to reduce risks

Recently, over two dozen ED staff members at Palisades Medical Center in North Bergen, NJ were suspended for "sneaking a peek" of the medical record of George Clooney, who was being treated for injuries he sustained after a motorcycle accident.

Unfortunately, it's not unheard of for ED staff to access patient medical files without authorization — whether it's a celebrity, a relative, or a colleague. Under what circumstances would Clooney or others have the right to sue a hospital for unauthorized access of their medical records?

In order for a person to sue a hospital because information was released to a third party in an unauthorized manner, the patient would typically have to bring a "invasion of privacy" or "negligence" type of action, says Helen Oscislawski, a health care attorney at the Lawrenceville, NJ office of Fox Rothschild.

However, the patient must have suffered some sort of damage or harm as a result of the disclosure. "Depending on state law, emotional distress alone, without concurrent physical harm, may not be enough to sustain such a claim," Oscislawski says.

However, the Health Insurance Portability and Accountability Act (HIPAA) does allow individuals to file complaints with the federal government, which will result in the government evaluating the complaint and possibly investigating the provider further to determine if there was a true violation of HIPAA's standards.

Whether a celebrity could sue for "file peeking" depends on state law and tort actions for invasion of privacy, but he or she could definitely file a grievance with the government. "Hospitals should take this extremely seriously, because they risk huge monetary sanctions and criminal penalties which ultimately could affect accreditation," says Erin McAlpin Eiselein, an attorney with Davis Graham & Stubbs LLP, in Denver, CO.

Policies are key

In the Clooney case, it appears that the hospital reacted appropriately by complying with their internal policy and immediately conducting an internal investigation, Eiselein says. "HIPAA requires hospitals to have sanction policies and I assume that the actions they took were in compliance with such a policy," she says.

If you learn of an incident involving unauthorized access of a patient's medical record, you must immediately document this, advises Eiselein. You also need to mitigate any damage done, such as instructing anyone involved not to disclose any information, and comply with your ED's sanctioning policy, which might require a written warning in the employee's personnel file or suspension without pay.

If the patient discovers that their privacy was violated and files a grievance, the Office of Civil Rights will look to see if the hospital properly documented the incident, mitigated any damages, and complied with its sanctions policy. "Chances are if the hospital acts quickly and complies with HIPAA, those actions will weigh in favor of the hospital," Eiselein says. "Where there would be risk is if the hospital took no corrective action."

Your ED's policy should restrict access of protected health information (PHI) to authorized employees. "There are a number of reasons why it is "not permissible" for unauthorized employees to "peek" at patients' records for no legitimate reason," Oscislawski says.

HIPAA sets forth the minimum requirements with regard to what is considered a "permissible" use and disclosure of patients' health information. In addition, in many states, including New Jersey, licensing regulations governing hospitals afford patients admitted to a general hospital certain additional rights with respect to the privacy and confidentiality of patient records pertaining to their treatment, she emphasizes.

As such, your ED must develop and implement technological, administrative, and physical safeguards to assure that only authorized individuals are accessing PHI about patients. Under the Security Regulations of HIPAA, safeguards such as passwords are required. Employee levels of access to electronic protected health information must be defined by employee-categories and limited by those who may need that information for authorized uses, says Oscislawski.

Once a safeguard policy is developed, it is just as important for the facility to train employees regarding policies prohibiting unauthorized access and sharing of information, and provide them with regular reminders about what is expected of them, and what the repercussions are if policies are not followed, Oscislawski says.

"Appropriate sanctions should be developed and implemented when HIPAA policies are breached," Oscislawski says. "There should be essentially a 'zero tolerance' policy implemented for employees who 'peek' at records in an unauthorized manner."

One of the worst scenarios would be if ED staff attempted to sell or profit from a celebrity's medical information, Eiselein says. To commit a criminal offense, an individual must knowingly, in violation of the rules, disclose an individual's PHI to another person.

"There have been four criminal enforcement actions under HIPAA, and all involved attempting to profit from stolen PHI," Eiselein says. "If anybody profited financially, let's say by taking a picture of the celebrity on their camera phone and selling it to a tabloid, that would be enough to kick an offense up to a criminal violation."


Erin McAlpin Eiselein, Davis Graham & Stubbs LLP, 1550 Seventeenth Street, Suite 500, Denver, CO 80202. Phone: (303) 892-7308. Fax: (303) 893-1379. E-mail: erin.eiselein@dgslaw.com