An Indiana woman’s medical test results and suggested course of treatment were sent to another patient.
The court ruled in favor of the healthcare provider after an initial hearing in 2022
The woman appealed the ruling, claiming that the provider was negligent and that this loss of privacy had led to personal harm, loss, and trauma.
In 2018, an employee of Community Health Network, Inc., in Indiana, mailed test results and a suggested course of treatment for a patient, identified in court records as Z.D., to a different patient. The patient who received Z.D.’s results was a classmate of Z.D.’s teenage daughter. She posted the letter from Community Health Network on Facebook, where many community members, including Z.D.’s fiancé and daughter, saw it. In 2020, Z.D. filed a lawsuit against Community for distributing her private health information to the public, causing her extreme distress and financial loss. The 2020 lawsuit wasn’t successful, but the case is now back in court on an appeal.
Community Health Center argued that, although their staff made an error when mailing the letter, they could not have foreseen the actions of the recipient, Jonae Kendrick. In the initial trial, they contended that Kendrick should have returned or destroyed the letter when she saw it was not for her. They also stated that it was Kendrick’s actions of posting the letter to Facebook, and later requiring a sum of $100 from Z.D. in exchange for the letter, which was removed from Facebook, that caused damages and distress to Z.D. Calling Kendrick’s action an “unforeseeable ‘criminal act,’” Community claimed that their employee could not be held responsible for the chain of events and that they had acted within the scope of their employment.
Z. D’s team argued that Community’s lack of systems for ensuring that Z.D.’s information did not get sent to the wrong person is at fault. Z.D. claimed that Community failed to protect her privacy and, as a result, that she has suffered substantial damages and losses, including the termination of a long-term relationship, the loss of housing and income, damage to her reputation within the community and her sense of security, and more. Z.D. claimed that, in addition to these losses, the ordeal was “traumatizing,” and that her children were being bullied at school.
After an initial hearing in March 2022, the court ruled in favor of Community. However, Z.D. is currently appealing this ruling. The appeal argues that the letter containing results and a suggested course of action was in a letter addressed to Kendrick, meaning that Kendrick did not act criminally in opening it, and that Z.D.’s privacy would have been violated even without the letter being posted to Facebook. The appeal further argues that the burden is on Community to prove that they did enough to protect Z.D.’s information from being made public—something they have failed to do. A verdict on the appeal has not yet been reached. 
When patient privacy violations become malpractice
It’s common to think of mistakes during surgery or missed diagnoses when you think about medical errors, but there can be substantial damages from privacy violations, too. Nichole M. Pieters, MS, RN, CEN, CPHQ, CPPS, Patient Safety Risk Manager II with The Doctors Company, said that the mishandling of patients’ private healthcare information can lead to harm to patients and providers.
“Ramifications [for] both the patient and healthcare providers can be devastating. Patients may experience a delay in care, potentially causing harm. The breach can also lead to identity theft. Either or both can cause embarrassment and emotional distress,” says Pieters. “Consequences for healthcare providers can include state and federal inquiries, such as regulatory and medical board investigations. The Office for Civil Rights (OCR) is responsible for HIPAA enforcement and may impose corrective action up to and including sizable fines. All of this can result in financial and reputational loss and can lead to emotional exhaustion.”
Typically, mistakes in sharing patient data can’t be brought to trial as malpractice. It’s much more likely for these errors to be classified as HIPAA violations and to result in criminal charges. However, cases that demonstrate that privacy violations and erroneous data sharing have been grossly negligent and led to harm can be brought to court for malpractice.
Taking steps to reduce this risk protects your patients and your practice, says Dr. Hussain Elhalis, MD, an ophthalmologist in Ocala, Florida, and Founder of ElhalisMD. Patient privacy and confidentiality are key to physician-patient relationships and to establishing trust, he adds.
“Protecting patient confidentiality is about respecting our patients and their rights. We must remember that behind every piece of data is a person,” Elhalis says. “Patient confidentiality is a cornerstone of the doctor-patient relationship, and it’s vital to building trust.”
Training, technology, and understanding the rules of HIPPA and other privacy laws are some of the best ways you can ensure patient privacy stays secure.
“Staff training is crucial. Everyone from the physicians to the administrative staff [should be] trained on the importance of confidentiality, how to securely operate records systems, and how to share patient information,” says Elhalis.
Pieters shares these four key patient privacy strategies:
Ensure that the release of information is authorized under state or federal law—and by the patient when necessary. Familiarize yourself with TPO exceptions: those circumstances that may not require authorization.
Verify that the person requesting and receiving the protected health information is authorized to do so.
Make sure that the method used to send records is secure. Secure options may include mail, hand delivery, fax, encrypted email, or an encrypted portal. When sending via physical mail, use a double envelope. When faxing, use a cover sheet that includes instructions for the recipient regarding the next steps if they are not the intended recipient.
When in doubt, ask the patient.