[ Monday, October 15, 2007 ]
Even Unintentional Breaches Can Bring Punitive Damages:
I thougt I had posted on this before but don't see it. A Long Island surgery center employee made bad disclosure of particularly sensitive information, and got stuck with not only $65,000 in actual damages but $300,000 in punitives (Randi A.J. (Anonymous) v. Long Island Surgi-Ctr., N.Y. Sup. Ct. App. Div., No. 2005-04976, 9/25/07
; opinion here
via BNA, but may need subscription). The patient, a young woman still living at home with her parents, had come in for an abortion and asked that only her cell phone be used. But a nurse, trying to be helpful and provide post-operative information to the woman, instead called her home and passed along information to the patient's mother that, while not specifically disclosing the procedure she had received, provided enough information for the mother to make an inference.
Again, the disclosure was not malicious or intentional. But it's a good lesson on how important it is to have and follow good information security procedures.
Jeff [8:54 AM]
Blogger: HIPAA Blog - Edit your Template