My parter Sam Fox alerted me to a New Jersey lawsuit, Community Hospital Group v. Blume Goldfaden, which involves the a HIPAA issue involving the release of pap smear lab reports of non-party patients by JFK Medical Center in Edison, NJ to an attorney at Blume Goldfaden who was representing a client in a pending medical malpractice lawsuit.
According the to article appearing on Law.com:
The dispute began in 2003 when JFK realized it had misread three years of Pap smears for D.B., resulting in a third-year delay in diagnosing her cervical cancer. D.B. hired Blume Goldfaden partner Carol Forte to sue JFK. That suit, D.B. v. Palermo, MID-L-8396-03, is pending.
Concerned over what happened with D.B.'s samples, JFK sent 9,253 slides -- every Pap smear done for three years starting in 2000 -- to an outside laboratory for an independent review. The review uncovered 107 other "discrepancies," or false negatives.
In late November 2003, two women whose tests were misread, referred to as H.D. and N.B., received identical letters from Forte stating she was investigating D.B.'s claim against JFK for misreading samples. The letter went on to say that "it has come to my attention that you may have information about the competency of the pathology department." It asked them to "please contact me to discuss the information you may have."
H.D. and N.B. -- upset that their private medical information had fallen into the hands of a law firm without their consent -- told JFK they wanted answers.
According to the article, later it was learned that the information about the two non-party patients was released to the attorney representing the client in the pending medical malpractice lawsuit against JFK via a cicuitious route. The hospital notified a local gynecologist, Lawrence Seitzman of possible misread pap smears for 3 of his patients. Two of the patients were the H.D. and N.B. Dr. Seitzman met with the third patient and gave her a copy of the letter. The third patient then went to see her attorney about the matter who then sent the letter to Blume Goldfaden for a possible referral.
The article states:
On April 2, 2004, Superior Court Judge Travis Francis dismissed the suit, finding the hospital lacked standing to assert privacy claims on behalf of third parties and that HIPAA creates no private right of action. He ruled that only H.D. and N.B. could sue over the disclosure of their medical records and that the hospital "cannot attempt to use HIPAA as an offensive weapon against possible malpractice suits." But Francis denied Blume Goldfaden's request for fees against JFK for filing a frivolous suit, and both sides appealed.
The case is now on appeal and arguments were heard on September 27 before the NJ Superior Court, Appellate Division. The arguments raised issues about the role of lawyers in protecting protected health information under HIPAA. Amici briefs were filed by the Association of Trial Lawyers of Amarica-NJ and the Trial Attorneys of New Jersey.
This will be an interesting decision to watch. It also illustrates an issue I often address with my health care clients about the unlimited ways in which protected health information can get released from their hospital, facility or medical practice. One of the most important roles a facility privacy officer is to learn how protected health information moves about within the facility, who has access and what third parties do with the information. Without the basic understanding of this information no policies or procedures to protect information can be effective.