HIPAA Blog

[ Tuesday, June 26, 2007 ]

 

Hospital Sues Blogger: I heard about this last Thursday from Bob Coffield (himself a blogger), but I was on vacation and didn't get a chance to post on it. I've also tried to dig up some more information out of that neck of the woods (Paris, Texas, a little northeast of here), but haven't been able to find out too much. Basically, a blogger has been running a "gripe site," a particular internet bugaboo of many businesses. The site has been harshly critical of Paris Regional Medical Center and its corporate parent, Essent Healthcare, as well as individual managers, it seems.

Well, the Empire has struck back(subscription required here): Essent and PRMC have sued the unknown blogger for defaming the hospital and violating HIPAA (I haven't seen the pleadings -- c'mon, I've been on vacation, and it's tough getting back on track here with all that's piled up -- but I assume the suit is filed against a "John Doe;" the judge has ordered the cable internet provider to disclose the name and mailing location of the blogger within 20 days). On the defamation claim, I don't know about that. On the HIPAA claim, I've only read the linked articles and a bit of the blog (and its internal defensive arguments), but would note the following:
  1. It's not clear what the alleged HIPAA violations are, but presumably the Hospital has alleged that the blogger (or an employee feeding the blogger information) disclosed protected health information on the blog in the process of griping. I perused the site and didn't see anything that looked like PHI, but I didn't really read it that closely (sorry, the constant griping and nastiness of the site sorta depresses me). One post involves someone talking about care a family member received, which may or may not be an improper disclosure.
  2. The blogger, if s/he isn't a "covered entity," can't violate HIPAA. The employee is more likely to be a covered entity, and could (as in the Gibson case) be found guilty of a HIPAA violation even though s/he's not exactly a covered entity. The Hospital definitely is a covered entity, can violate HIPAA, and can be liable for an employee who violates HIPAA in a handful of situations (at least according to AUSA Pete Winn, who is one of the DOJ folks who pursue these types of things). If the disclosure is a HIPAA violation by any of the various parties, then others could potentially be found guilty on aiding and abetting grounds. So, there's some tenuousness there.
  3. There's no private cause of action under HIPAA, so the Hospital can't technically sue anybody for violating HIPAA. However, the Hospital can presumably sue for tort damages and base the claim on the fact that the actions of the tortfeasor were criminal in nature.
  4. The Hospital does seem to have confidentiality agreements with its employees, which could've been violated by the disclosure by employees to the blogger (or, if the blogger is an employee, but the blog posting). That's a different animal.

This will be an interesting case to watch.


Jeff [2:21 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template