$190 Million Settlement in Privacy Case

Physician at Johns Hopkins Secretly Photographed Patients
$190 Million Settlement in Privacy Case

Johns Hopkins Health System in Baltimore has agreed to a $190 million settlement of a class action lawsuit stemming from a privacy violation and misconduct case involving an obstetrician-gynecologist who used a pen-like camera to secretly photograph and video-record female patients during physical exams.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

In the wake of the discovery last year, Johns Hopkins "redoubled our efforts to uphold the highest standards of patient privacy," a spokeswoman for the organization tells Information Security Media Group. "We have implemented numerous steps to educate, inform and empower our staff to identify and alert us if they have any concerns. We also conducted a comprehensive initial inspection of our facilities and continue to conduct random inspections."

Healthcare organizations can take a number of precautions to help prevent these kinds of privacy violations, experts say. Those include setting strict policies regarding the use of photography and frequent privacy training for all staff.

Case Details

The settlement covers "more than 7,000 unique registrants," the spokeswoman says. The plaintiffs, who reportedly include dozens of minors, were patients of Dr. Nikita Levy, M.D., who worked at Johns Hopkins for more than two decades.

Levy committed suicide in February 2013 several days after an investigation was launched when another John Hopkins employee alerted the institution about her concerns regarding a device that she noticed Levy wearing around his neck during patient examinations. The employee believed the device, which looked like a writing pen, was actually a camera.

A statement on Johns Hopkins' website says that upon the employee's alert, the institution's security department was contacted and went to Levy's office to question him about the device. While interviewing him, Johns Hopkins security officials noticed similar devices in his office. The interview was suspended after security officials asked Levy to surrender the devices, which he did. Baltimore police were called in and investigated the case.

Investigators subsequently discovered about 1,200 videos and 140 images of unidentified patients' bodies stored on a series of servers in Levy's home. "Law enforcement had access to and control of the images; Johns Hopkins Health System did not," the Johns Hopkins spokeswoman says. "Thankfully, law enforcement found no indication that any images were ever shared."

Contacting Patients

John Hopkins' various statements on its website indicates the institution sent letters to thousands of Levy's patients notifying them of the events, and also posted periodic updates about the case for patients on the organization's website.

In the latest statement posted on its website, Johns Hopkins says about the settlement: "We have come to an agreement that the plaintiffs' attorneys and Johns Hopkins Health System believe is fair and properly balances the concerns of thousands of plaintiffs with obligations the Health System has to provide ongoing and superior care to the community. It is our hope that this settlement - and findings by law enforcement that images were not shared - helps those affected achieve a measure of closure."

The health system notes that all funds for the settlement come from insurance. As a result, "this settlement, which has been formalized by the plaintiffs' attorneys and the health system and given preliminary approval by the judge, will not in any way compromise the ability of the health system to serve its patients, staff and community," the statement notes.

The plaintiffs' lead attorney did not immediately reply to a request for comment on the settlement.

Privacy Efforts

Some privacy and security experts called the John Hopkins case unusual for its shocking details and the number of patients affected. But sadly, privacy cases involving photos of patients are relatively common, they say.

"Unfortunately there have been many cases when doctors, nurses, or others within hospitals and clinics, took photos and/or videos of patients and then posted them," says Rebecca Herold, a partner at consulting firm the Compliance Helper and CEO of The Privacy Professor. She says some cases over the last year have included a Chicago doctor who posted photos online of a patient who is an aspiring actress; a nurse who took photos of stickers that a Los Angeles doctor put on a patient's face during surgery; and an OB-GYN physician in Arkansas accused of taking photos of a nude patient without her consent.

Hospitals, clinics and others can take precautions to help prevent these kinds of privacy violations involving photography and videography of patients, experts say.

"Healthcare provider organizations commonly have policies preventing photography, with exceptions for certain specialties and circumstances such as documenting a dermatological condition," says privacy expert Kate Borten, founder of The Marblehead Group consulting firm. The policy should exempt security cameras, but camera placement should not violate patient privacy, she says. "Such policies should not be limited to traditional cameras or cell phones, but should have broad language that covers any image-capture - still or moving - technology."

Herold adds that healthcare entities need to make their workforces aware of the institutions' privacy policies. "This situation demonstrates once more the importance of providing regular training and ongoing awareness communications, in support of documented information security and privacy policies and procedures," Herold says. "Those who are intent on obtaining such images are probably going to do so in any way they can. Preventing inappropriate behavior by sexual deviants is hard, because they are so motivated to do their salacious activities without getting caught. It truly takes the observation of all within a facility to help prevent or stop such activities."

But having clear policies and ongoing oversight is important, Herold stresses. "Providing training, and requiring all personnel to attend, to cover privacy and ethics, is also important."

She adds: "Hospitals and clinics could also do spot checks of the items doctors and other caregivers are using when they are with their patients. Something else that would have helped to prevent such abuse would be to have required a nurse in the room with doctors when they are with patients - especially when patients are disrobed as part of treatments or for exams. Many hospitals and clinics, especially OB-GYNs, have had this practice rule for many years. However, in recent years many have also stopped doing this because of a shortage of nurses and other types of patient attendants."

While the use of surveillance cameras to monitor healthcare workers have been suggested by some, Herold points out, "then you risk having the patients' images breached through unauthorized use of or access to those as well."

HIPAA Violation?

Johns Hopkins did not respond to ISMG's inquiry about whether the events involving Levy were reported to HHS' Office for Civil Rights as a HIPAA privacy violation. An OCR spokewoman told ISMG, "HHS is aware of this story, but has no comment on the incident."

Borten, however, believes the privacy violation at Johns Hopkins was a HIPAA violation. "These photos appear to constitute PHI since they could be used to identify a patient. For example, imagine one of this physician's patients who has some particular visible genital characteristic. She could identify herself from the photo," she says.

"When PHI is used for other than patient care or other HIPAA-permissible uses, that is a HIPAA privacy violation. And HIPAA violations are presumed to be breaches unless they fall into various exceptions," Borten says. "This appears to be a HIPAA breach, but if Johns Hopkins could not reasonably have prevented it, the organization may not be cited."

Herold notes: "The large number of patients involved is more than I've seen in similar past cases. The fact - substantiated or unsubstantiated - that the images cannot be linked to specific individuals, though, is not as bad, from a HIPAA compliance perspective, as some cases where the identity of the patient was clearly visible in the photos or videos the doctors or nurses took, and in many cases posted online, such as on social media sites. However, from an ethical, moral and practitioner perspective, this is probably one of the most disgusting, outrageous, demented and invasive physicians I've ever [heard] about."

Johns Hopkins Health System, a part of Johns Hopkins Medicine, includes the Johns Hopkins Hospital, which has 1,059 beds as well as five other hospitals, a multi-specialty physicians organization that includes 400 providers, and also a health plan.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.