[ Sunday, June 29, 2014 ]
University of Cincinnati Medical Center:
Jeff [10:37 AM]
Apparently a non-clinical employee of the hospital accessed a patient's medical record and learned that the pregnant patient had a sexually-transmitted disease.
The employee gave the information to the man who impregnated her; that man took to Facebook to taunt and ridicule her. The patient complained and the employee was fired; the patient has now sued.
Fun stuff: there's a possibility that disclosing to the baby-daddy would be fine, if the hospital knew that he was "involved in the care" of the pregnant woman. But that's probably not going to be persuasive since the employee was not a clinical employee and had no business being in those medical records (perhaps she should not even have been able to access those records, depending on the scope of her job responsibilities). And I suspect the baby-daddy and the financial services employee had some personal connection, such that she should have known not to dig into medical records for improper reasons (assuming the hospital did good training, had good policies, etc.).
What's interesting is that OCR is taking an interest because the hospital did not notify OCR about the breach; however, the hospital says they did provide notice, and they have proof of it. This could be a hole in OCR's reporting website. Or it could be a confusion about names.
Hat tip: Jennifer Clemons
Blogger: HIPAA Blog - Edit your Template