Governance & Risk Management , Privacy
Ebola Nurse Sues for Privacy Invasion
Lawsuit: 'Highly Personal' Information Inappropriately ReleasedA Dallas nurse who contracted Ebola last October while caring for a patient infected with the disease is suing her employer for negligence, invasion of privacy and fraud.
See Also: Live Webinar | All the Ways the Internet is Surveilling You
Nina Pham is one of two Texas Health Resources intensive care unit nurses who became infected with Ebola while taking care of patient Thomas Duncan, who died of the disease last fall at Texas Health Dallas Presbyterian Hospital after contracting the illness while he was in West Africa.
In a lawsuit filed against Texas Health Resources on March 2, Pham alleges that the hospital was negligent for, among other things, its lack of providing adequate training and safety equipment to Pham while caring for Duncan.
Then, when Pham later contracted the disease, the suit alleges that "THR, through its agents, intentionally intruded on [Pham's] solitude, seclusion and private affairs when [she] was in a life-or-death situation." The suit says "Nina Pham had a right to privacy, seclusion and ownership over her name and likeness. Nina requested such privacy by being asked to be a 'no information' patient, and Nina had a reasonable expectation that information regarding her identity, her medical condition or her personal image would be kept private."
The suit claims that THR disclosed "highly personal medical information" about Pham, and also filmed her without her informed consent, "and generally attempting to use her for purposes of THR's public relations." The suit alleges that THR "publicized information about Nina's private life, including her identity, her personal health information, and other personal facts that the public had no right to know and for which THR had no right to publicize."
The suit alleges that THR issued a press release that announced Pham's condition "had been upgraded from 'stable' to 'good' in hopes that the public would think THR was doing something right." However, Pham's medical record for that same day indicates that hospital staff was having "end of life discussions" with her, noting that "she was in such critical condition that she could not make decisions for herself," according to the lawsuit.
The legal complaint seeks damages for THR's alleged "fraudulent representations" of Pham's medical condition.
HIPAA Guidance
While THR was dealing with its Ebola crisis last fall, the U.S. Department of Health and Human Services' was getting privacy-related inquiries from the healthcare sector about Ebola. In response to the Ebola outbreak, HHS' Office for Civil Rights issued a special bulletin in November to remind covered entities and business associates about how the HIPAA Privacy Rule governs the sharing of patient information in emergency situations, including Ebola cases (see Feds Issue Ebola Privacy Guidance).
Among the reminders, the bulletin noted that under HIPAA, limited disclosures are permitted to "media or others not involved in the care of the patient or for notification. Upon request for information about a particular patient by name, a hospital or other healthcare facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient's condition in general terms - for example, critical or stable, deceased, or treated and released."
Covered entities and business associates in general need to tread carefully when it comes to dealing with patient privacy during a crisis, says privacy attorney Adam Greene, of law firm Davis Wright Tremaine.
"It is important to remember that HHS interprets the definition of 'protected health information,' very broadly, so even indicating that someone is a patient can run afoul of HIPAA," he says.
"The Privacy Rule permits release of facility directory information, such as whether someone is in stable condition, but only in response to specific requests where someone asks about the patient by name, and where the patient has not objected. Accordingly, sending out a press release about someone's general status can cause problems," Greene notes.
In general, a covered entity can only provide information to the press if it has a HIPAA-compliant authorization from the patient, the attorney says. "The biggest challenge here can be the public relations staff, who want to do everything they can to put the organization in a good light and defend it against any accusations," Greene says. "They need to be fully sensitized to how greatly the Privacy Rule limits them and that the results can sometimes be unfair, with the organization unable to defend itself."
Brent Walker, an attorney at Dallas-based Aldous Law Firm, which is representing Pham in the suit, tells Information Security Media Group that while HIPAA allows the release of certain PHI in emergencies for certain purposes, including related to public health and media communication, "what Presbyterian [hospital] released was not for the public good, but for the public relations of the company to help repair a faulty image."
Walker adds: "The HIPAA guidance indicates some circumstances you can release certain information during an emergency, but I'm sure filming patients and releasing that is not one of them." He also explains that Pham is not suing under HIPAA, because HIPAA does not allow for a private right of action. Rather, Pham is suing based on allegations that THR released her private information without her consent for the company's own benefit. "Such disclosures would be highly offensive to a reasonable person," the suit alleges.
Additionally, Walker says Pham suspects that her electronic health records also might have been inappropriately accessed by some THR staff. Those allegations, which are not part of the current complaint filed by Pham, will be investigated during the discovery phase of the lawsuit, he says.
THR Response
In a message that was sent to Texas Health Resources employees by its CEO Barclay Berdan, which was provided to ISMG by a company spokesman, Berdan says, "THR was sensitive to Nina's privacy, and we adhered to HIPAA rules in determining what information to share publicly. We had Nina's consent to share the information about her that was released."
The spokesman would not comment on allegations that Pham's medical information was potentially inappropriately accessed by THR staff.
Walker says Pham's employment status at THR is "currently up in the air." The THR spokesman tells ISMG that Pham "is still an employee on the payroll" but hasn't returned to work since her illness.
Pham was transferred out of Texas Dallas Presbyterian Hospital after five days of care to continue her Ebola treatment at the National Institutes of Health in Bethesda, Md.