Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Another Way to Violate Privacy: PHI in Court Documents
Hospital System Hit With Sanctions Tied to Documents It FiledA recent court ruling illustrates yet another way patient privacy can be compromised. A federal court slapped WakeMed Health and Hospitals, a North Carolina healthcare system, with financial penalties for exposing patient information in filings it made for cases.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The court's decision highlights the need to offer certain staff members compliance training that goes far beyond HIPAA and addresses all relevant patient privacy legal requirements - including those tied to bankruptcy issues.
A federal bankruptcy court ordered WakeMed to pay $70,000 in punitive damages - including $50,000 to the court and $10,000 each to two individuals who filed complaints against WakeMed related to the dispute, and to also pay nearly $60,000 to cover the individuals' legal expenses.
The court also ordered WakeMed to send breach notification letters and offer one year of free credit monitoring to potentially thousands of adults and minors whose Social Security numbers or full dates of birth were included in court documents the healthcare organization filed between December 2007 and December 2015.
Those documents, which were publicly available online via a subscription-based court records system, were filed in WakeMed's attempt to seek payment for debts allegedly owed by patients who had filed for bankruptcy protection.
In addition, the court ordered the healthcare provider to submit quarterly reports for five years describing its staff training on filing bankruptcy-related claims against patients, the number of claims filed during that quarter, a certification that those claims were properly redacted, and an outline of claims filing office procedures in place.
Sorting Out Legal Requirements
The WakeMed case spotlights risk management issues tied to the filing of court documents.
"There is a real tension between some 'public records' laws related to court filings and other kinds of laws," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"Major advice is to always be incredibly careful whenever you are disclosing any kind of patient information in any kind of public setting - it is possible that you need to do it, but usually there is a better way."
Exposing Sensitive Data Online
At the center of the ruling were complaints filed by WakeMed patients who had filed for federal bankruptcy protection and for whom WakeMed subsequently filed "proof of claims" documentation to support the attempted collection of unpaid medical bills.
The debtors in these cases sought sanctions, including actual and punitive damages and attorneys' fees, for WakeMed's alleged failure to properly redact their personal information before filing in bankruptcy court certain document attachments in WakeMed's "proof of claim" for debt collection.
The debtors contended that because the public has access to this information through the federal court system's subscription-based online system known as Public Access to Court Electronic Records, or PACER, they are at risk of having their personal and medical information stolen.
Bankruptcy Rules, But Not HIPAA
The judge noted in the decision that the ruling was based on violations of federal bankruptcy rules, rather than failure to meet HIPAA requirements.
"This court is not a HIPAA compliance tribunal, and the court questions whether it has jurisdiction to opine on or determine sanctions for violations of HIPAA," the ruling states. The court also noted that case law "overwhelmingly holds that there is no private right of action under HIPAA."
The court's decision cites the redaction requirements of federal bankruptcy rule 9037. That rule states that paper and electronic bankruptcy filings may include only:
- Last four digits of a Social Security number or taxpayer-identification number;
- Year of birth;
- Minor's initials;
- Last four digits of a financial account number.
Weak Training?
Court documents indicate that most of WakeMed's proof of claims filed as part of its bankruptcy collection efforts were processed by Valeria Soles, a financial services and collections department employee who worked at WakeMed for 33 years before retiring in December of 2015. The judge's ruling indicates that the worker testified that although she received annual training regarding the requirements of HIPAA, she had no training with respect to filing bankruptcy proofs of claim.
"The HIPAA training did not cover bankruptcy claims filing," the court ruling states. "Ms. Soles also had no supervision with respect to filing claims, and testified that no one else in her department knew how to file bankruptcy claims. There was no audit system in place, and Ms. Soles had no direct contact with the legal department of WakeMed."
The ruling also notes that Soles was unaware that electronically filed bankruptcy related claims were broadly accessible through PACER.
Local media outlet, The News & Observer, reports that WakeMed says it filed 4,470 claims against bankrupt patients between December 2007 and December 2015, but not all filings included improperly disclosed information. Also, the court blocked online access to the documents earlier this year upon WakeMed's request, the ruling notes.
WakeMed did not immediately respond to an Information Security Media Group request for comment on the court ruling.
Lessons Learned
An important lesson emerging from the WakeMed ruling is that all healthcare entities need to take extreme care in handling patient information that's included in publicly assessible court documents, says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"To the extent possible, court filings and other documents that cannot be shielded from public inspection should be carefully scrutinized to ensure that only the minimum necessary PHI or other sensitive personal information is disclosed," he says.
"If a document contains sensitive information or PHI is being disclosed, a protective order should be requested from the court to protect the public disclosure of treatment information or confidential financial information that could create the risk of financial harm or identity theft."
Organizations can take several additional steps to help prevent exposing patient information in court filings, Holtzman suggests.
"Every organization that handles PHI, especially those that are engaged in payment collection activities, must develop and continually review their practices on how and when they are permitted to disclose patient information," he says. "This must include extensive employee training and awareness along with strong monitoring and auditing of the information handled by employees to ensure that the controls put into place by the organization are effective and enforced."