25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

7 Month Delay Notifying HIV Study Participants About Exposure of their Confidential Information

Posted By on May 16, 2019

The sensitive information of 24 women diagnosed with HIV has been made available to individuals unauthorized to access that information. Despite the breach being discovered more than 7 months ago, the affected women have still not been notified.

The women were participating in an EmPower Women study at the University of California San Diego (UCSD). All 24 women had been diagnosed with HIV yet had not sought treatment. The HIV research study aimed to explore the reasons why those women had not sought treatment, specifically how substance abuse, domestic violence, trauma, and mental illness affected the decision to seek treatment and commit to treatment programs.  To help recruit patients for the study, UCSD partnered with the non-profit organization Christie’s Place, which provides support to women diagnosed with HIV and AIDS.

The plan was to recruit 100 patients for the study and offer half of participants free support and counselling services and the other half were given the option of receiving standard services at Christie’s Place. The researchers would then monitor the outcomes of the two different groups.

The women’s names, audio recordings of interviews with study participants, and other sensitive information were stored in a database used to track clinical care. Access controls should have been implemented to ensure only individuals authorized to view the women’s confidential information could access the data. However, the database could be accessed by everyone at Christie’s Place.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

An inewsource investigation revealed not only that the private and confidential information of study participants had been exposed, but despite UCSD being made aware of the privacy violation in October 2018, notification letters had not been issued.

Lead researcher of the study, Jamila Stockman, associate professor at UCSD and Vice Chief of Global Public Health, was made aware that the database was available to all employees, interns, and volunteers at Christie’s Place by a mental health professional.

She brought the privacy breach to the attention of officials at UCSD and continued to push for notifications to be issued in meetings, emails, and study reports. As a result of the failure to take action over the breach, Stockman suspended the study in October 2018.

The failure to take prompt action and issue notifications would constitute willful neglect of HIPAA Rules and would be punishable with a fine in the highest penalty tier. However, the research was entirely funded by the UC system and, as such, is not subject to HIPAA Rules and is beyond the remit of the HHS’ Office for Civil Rights.

Christie’s Place was accused of deliberately adding patient information to the database with full knowledge that it could be accessed by everyone in an effort to inflate the number of patients participating in the study and bill the County of San Diego for more services. That allegation has been denied.

Christie’s Place issued a statement to inewsource confirming its internal investigation concluded there had been no wrongdoing and that “Christie’s Place did not misuse client data, did not breach client data to inflate patient numbers, did not misrepresent the services we provided, and did not improperly bill the County of San Diego.”

After being notified about the breach, UCSD instructed Empower Women to draft a breach notification letter, but the sending of that letter was repeatedly delayed. In March 2019, the decision was finally taken to to inform the study participants about the breach, but there was a further delay as before those notifications could be issued, UCSD wanted to ensure that all study data was securely deleted from Christie’s Place systems. UCSD now plans to send notification letters in the next 2-3 weeks.

inewsource has brought the matter to the attention of County of San Diego officials who will conduct their own investigation and take appropriate action.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist