The Jussie Smollett saga earlier this year made headlines here in Chicago and throughout the country. It was a juicy tale of a supposed hate crime against an actor, that turned out to be a hoax, that led to criminal charges against Smollett, that were later dropped by State’s Attorney Kimberly Foxx, who then found herself under scrutiny for that decision. But Smollett and Foxx weren’t the only ones in this tale whose conduct raised eyebrows or put them in legal or ethical jeopardy.

Fifty employees, including several nurses, at Northwestern Memorial Hospital lost their jobs and faced disciplinary action because they violated the patient privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). This included one nurse who did nothing more than search for Smollett’s name in the hospital’s system.

Breaching HIPAA Obligations Is Easy. Dealing With the Fallout Is Not.

If you are a physician or registered nurse, or if you work in healthcare in any capacity, you are no doubt generally aware of HIPAA and the duties it creates to ensure the confidentiality of protected health information (PHI). That fired nurse no doubt knew about HIPAA’s privacy and security rules as well. But her case demonstrates how quickly and inadvertently you can breach your professional obligations as to patient privacy and put your career – and professional license – in peril.

After HIPAA became law in 1996, the U.S. Department of Health and Human Services (HHS) issued a set of national standards governing the use, maintenance, and disclosure of patients’ protected health information. Commonly known as the Privacy Rule, the Standards for Privacy of Individually Identifiable Health Information limit how and to whom PHI can be disclosed.

Additionally, medical professionals and organizations must comply with detailed rules involving the physical and electronic security of PHI (the Security Rule, or Security Standards for the Protection of Electronic Protected Health Information) as well as the Breach Notification Rule which addresses what doctors and healthcare providers need to do in the event of a data breach.

As complex as HIPAA rules can be, violating them couldn’t be easier. It doesn’t require malicious intent (though that makes matters worse) or the knowledge that an act or omission violates HIPAA. In fact, most HIPAA infractions are inadvertent and more a factor of “loose lips sink ships” than anything else. But that doesn’t insulate a doctor or nurse from civil penalties or professional license consequences.

Common HIPAA Privacy Rule Violations

The following are common examples of how medical professionals can and do unknowingly violate HIPAA’s Privacy Rule:

• Leaving patient files and information in plain view, such as at a nurse’s station or reception desk, so that anyone in proximity may be able to see that information.
• Social media posts, pictures, or videos that may directly or indirectly reveal information about a patient or their condition, even in “closed” groups. A 2015 ProPublica review uncovered 22 cases of HIPAA-violating photo and video sharing in just the previous three years, with 35 instances of inappropriate image and video sharing found in total. There have been plenty more widely-publicized incidents since then.
• Sending PHI over messaging apps without patient authorization.
• Accessing the PHI of patients you are not required to treat
• Gossiping about specific patients and disclosing their health information to family, friends & colleagues
• Improper disposal of PHI, such as discarding it in regular trash.

Possible Consequences of a HIPAA Privacy Violation

The Office for Civil Rights (OCR) at DHS is responsible for enforcing HIPAA’s privacy requirements and can impose civil fines and criminal penalties, including possible jail time, for violations. The penalties and/or fines administered by OCR are based on the severity of each HIPAA violation and the knowledge and intent involved. Only willful violations will raise the specter of criminal prosecution, but civil penalties can rise to the level of tens of thousands of dollars.

Additionally, under Illinois’ Medical Patient Rights Act, any physician or healthcare provider who discloses a patient’s PHI without their express consent or as otherwise provided by law is guilty of a petty offense and will be fined $1,000.

If a physician or nurse violates HIPAA in a willful or egregious way, or is negligent in their handling of patient information, the Illinois Department of Financial and Professional Regulation (IDFPR) may take an interest and see such conduct as the basis for disciplinary action.

For example, the Illinois Medical Practice Act provides that the Department may revoke, suspend, place on probation, reprimand, refuse to issue or renew, or take any other disciplinary or non-disciplinary action against a physician for “willfully or negligently violating the confidentiality between physician and patient except as required by law.”

To avoid all of these potential consequences, physicians and nurses must remain vigilant and ever mindful of their patients’ privacy and their obligations under HIPAA.

Louis Fine: Chicago Professional License Defense Attorney

If you have questions or concerns about your duties under HIPAA or find yourself facing an IDFPR investigation or complaint about patient privacy, please contact me immediately. As a former Chief Prosecuting Attorney and administrative law judge for IDFPR, I have seen the serious consequences that an adverse enforcement decision can have on professionals who suddenly find their future in disarray. I can work with you to develop the strategy best suited to achieving the goal of an efficient, cost-effective outcome that avoids any adverse action. Together, we will get you back to your clients and your career.

Please give me a call at (312) 236-2433 or fill out my online form to arrange for your free initial consultation. I look forward to meeting with you.

DISCLAIMER: This email, and any attachments thereto, is the property of the Law Offices of Louis R. Fine and is intended for use only by the addressee(s) named herein and may contain confidential information, legally privileged information and attorney-client work product. If you are not the intended recipient of this email, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you have received this email in error, please notify the sender by email, telephone or fax, and permanently delete the original and any of any email and printout thereof. Thank you.