Johns Hopkins Health System Settles $190M Lawsuit Over Potential HIPAA Privacy Violations
The Baltimore-based Johns Hopkins Health System has agreed to settle a $190 million civil action lawsuit arising from HIPAA violations caused by one of its physicians.
The settlement was the result of a HIPAA Privacy Rule violation caused by an obstetrician and gynecologist who had used a hidden camera to take photographs and videos of his patients while conducting examinations.
The physician used a pen-like device to take 140 illicit pictures and approximately 1,200 videos of his patients, according to the findings of an investigation into professional misconduct.
Dr. Nikita Levy, M.D., had worked for the hospital for more than two decades, but in early 2013 another hospital employee alerted management about a device that Levy was seen wearing around his neck during patient examinations. While the device had the appearance of a pen, the member of staff believed that it was in fact a camera.
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
The matter was taken up by the hospital’s Information Security Department and Levy was interviewed in his office by security staff. They noticed a number of devices which they believed to be hidden cameras and they asked the physician to surrender all of these devices, which he did.
An investigation into the matter was launched, but a few days later Levy committed suicide. Law enforcement was involved and conducted a search of the physician’s home and found a number of images and videos of the bodies of his patients, most of which were unidentifiable. The material was found on a multiple servers in the physician’s home, although according to a spokesperson from Johns Hopkins, “Thankfully, law enforcement found no indication that any images were ever shared.”
Information Security Group was informed by Johns Hopkins that action has been taken to improve privacy standards at the hospital since the physician’s actions were uncovered. According the statement, the spokesperson said “We have implemented numerous steps to educate, inform and empower our staff to identify and alert us if they have any concerns. We also conducted a comprehensive initial inspection of our facilities and continue to conduct random inspections.”
According to a statement on the hospital website, “We have come to an agreement that the plaintiffs’ attorneys and Johns Hopkins Health System believe is fair and properly balances the concerns of thousands of plaintiffs with obligations the Health System has to provide ongoing and superior care to the community. It is our hope that this settlement – and findings by law enforcement that images were not shared – helps those affected achieve a measure of closure.”
The settlement covers “more than 7,000 unique registrants,” and according to the hospital, many of these were minors. In accordance with HIPAA breach notification rules, the hospital sent letters to all concerned alerting them to an invasion of their privacy and posted a notice to the media, although it is not clear whether the matter was reported to the OCR or if the hospital considers this to be a violation of HIPAA or just a violation of patient privacy.
Under HIPAA regulations, personally identifiable material, including physical records, electronic medical records and personal identifiers are classed as PHI, which includes photographs. These are classified as PHI if a patient can be identified from the images. It could be argued that even if the patients’ faces were not on the videos or images, they may still have been identifiable, and it is therefore probable that HIPAA laws have been violated.
What is not clear is whether it is reasonable to expect the hospital to have taken action to prevent the incident. Healthcare providers can certainly implement safeguards to prevent staff from violating HIPAA, such as providing training and advising the staff that it is not permissible to take photographs of patients – for non-medical reasons – or to take PHI for personal use. Whether this would have prevented the doctor from taking the photographs will never be known.