Data Issue Arises From Home Diabetes Test

On 26th September, Lori Stein visited Cotton-O’Neil Diabetes and Endocrinology Center in Topeka and met with an endocrinologist for a checkup. Lori Stein´s checkup was routine to monitor her diabetes, but during her consultation she asked if she could have a home test glucometer. A nurse brought her a sample glucometer and some test strips and handed her two boxes.

When she returned home she noticed a slip of paper between the boxes and started to read it thinking it was a print out of her consultation. The page contained data on her health conditions and listed her as suffering from severe obesity, which was incorrect. She also noticed other diagnoses and treatments which she had not had and when she read the page more closely she noticed the patient details written at the top of the page were not her own and that she had been given the page by mistake.

The data printed at the top of the page included the patients name, address, medical diagnoses, treatment details and general information such as age, height, weight and allergies suffered.

Since Lori had previously been a practicing psychotherapist she was well aware of HIPAA regulations and realized that the nurse had violated Privacy and Security Rules. In the wrong hands the information could be used to fraudulently obtain benefits and services.

Lori was concerned about the incident as she realized that if a simple mistake like this could be made with another patient, it was possible that her health information may have been compromised. The following day she called the medical center to report the error and was told that the matter would be investigated. She was also referred to Barbara Duncan, the chief privacy officer at Stormont-Vail HealthCare.

She arranged to meet with Duncan and at the meeting was asked to return the document, although she refused to hand it over as she considered it to be the only proof of the HIPAA disclosure. Stein told Duncan that damage could be done if the data got into the wrong hands, yet Duncan believed the beach to have been caused by “carelessness and laziness and told Stein that “People get complacent about compliance.”

Stormont-Vail HealthCare Spokesperson, Nancy Burkhardt, subsequently confirmed that its hospital staff is committed to protecting the privacy of its patients and has been advised of the importance of protecting patient data, including being provided with information on the new Rule.

She said, “The importance of protecting patient privacy is communicated through articles published in our employee newsletters and in regular corporate compliance meetings. To ensure appropriate monitoring, prevention and detection, we have a HIPAA privacy officer, who is responsible for HIPAA privacy compliance.”

She confirmed that data breaches and complaints are taken seriously and all matters are investigated internally and that action would be taken if a member of staff was found to have acted in a negligent manner or had made a mistake that caused a HIPAA violation. Each case is treated separately and could potentially result in the termination of an employee’s contract, although in other cases the provision of training may be a more appropriate solution.

Stein also sent a follow up letter to the facility stating that she would take action if her medical records were compromised and received a response from Anne M. Kindling, Manager of Risk Management at Stormont-Vail HealthCare. She told Stein that her case had been investigated and confirmed that Steins medical records had been printed on one occasion but were sent for secure shredding.

She was informed “Since we were able to retrieve all of the documents, I am confident that your records were not disclosed to any other individual and therefore there was no breach as to your own health information.” She was also advised that her claim for damages was denied as the management believes its actions prevented her data from being exposed.

She was also told that she would be sent a legal document for her to sign to confirm that she had not, and will not, disclose the data she had viewed. Stein is now seeking legal advice regarding making a claim for damages.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.