WakeMed Health and Hospitals Fined for Patient Privacy Violations

Raleigh-N.C-based WakeMed Health and Hospitals has been ordered to pay a fine of $70,000 by a North Carolina Bankruptcy Court for violating the privacy of patients.

The privacy violations occurred when submitting proofs of claim to the bankruptcy court. Documents were submitted electronically; however, they contained the protected health information of debtors, including names, Social Security numbers, bank account numbers, and dates of birth.

Under Bankruptcy Rule 9037, any proofs of claim submitted in court filings must have sensitive information redacted prior to transmission. Social Security numbers, taxpayer identification numbers, and account numbers must have all but the last four digits of the numbers redacted. Birthdates must also have the year of birth redacted. Additionally, if the filings include details of minors, only their initials must be included, not full names.

WakeMed Health and Hospitals failed to redact this information, and further, a number of the proofs of claims also contained protected health information. It was alleged this was a violation of the Health Insurance Portability and Accountability Act in addition to the hospital’s policy of privacy practices.

At the sanctions motions hearings, hospital staff testified that they had been given training on HIPAA regulations, but this did not cover the filing of bankruptcy claims. They also explained that the hospital also had no bankruptcy filing auditing system. Staff members said they believed that the filing of proofs of claims also came under the definition of payment collections and that this was therefore exempt from HIPAA.

While the court did not feel it had the jurisdiction to determine sanctions for HIPAA violations, it did have the power to award sanctions for violations of Bankruptcy Rule 9037.

The court concluded that the disclosure of private information of patients by WakeMed Health and Hospitals and the lack of training and supervision of staff amounted to negligence. According to the judge, “An institution that participates in the bankruptcy process as frequently as WakeMed simply cannot ignore the requirements of the court; the Code and Rules are of equal importance to the requirements of HIPAA and other regulations that govern Wake Med’s business practices.”

The court ordered WakeMed Health and Hospitals to pay punitive damages of $70,000 in addition to covering the attorney fees of the lead consumers.

The case should serve as a warning to all hospitals that they must ensure compliance not only with HIPAA, but also with other statutes that are intended to protect the privacy of consumers.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.