Failing to Safeguard Patient Privacy, Breaching HIPAA May Impact Your Professional License

It appears for the moment, however, that negligent violation of patient privacy is potentially excusable where there are no actual damages. The Michigan Court of Appeals in Doe v Henry Ford Health Sys, 2014 Mich App LEXIS 2557 (December 18, 2014) dismissed an action for alleged invasion of privacy for the negligent disclosure of PHI online.

The Plaintiffs in Doe brought action against Henry Ford Health System for their alleged failure to protect a group of 159 patients who had doctor’s visits at Henry Ford between June 3, 2008, and July 18, 2008. 

Henry Ford’s third-party data manager had made a configuration change to their server which left certain patient records unprotected. As a result, “Googlebot,” Google’s automated web crawler, indexed the information —  making it possible to find the patient information through Google’s search engine.

The information made accessible included the patient’s name, medical record number, the date of the patient’s visit, the location of the visit, the physician’s name, and a summary of the visit including medical history and diagnoses.

After Henry Ford learned of the problem, all information was removed from the internet, the patients were notified, and corrective measures to protect the data were undertaken.

The plaintiffs thereafter brought suit claiming invasion of privacy, though the court dismissed the case on defendant’s motion for summary disposition because the disclosure was negligent and negligent invasion of privacy does not exist as a cause of action in Michigan.

The court stated that to bring a cause of action in Michigan courts for the disclosure to another of private health information, one must bring the case under invasion of privacy through the public disclosure of private facts, and a plaintiff must meet three elements: (1) the disclosure of information; (2) that is highly offensive to a reasonable person, and (3) that is of no legitimate concern to the public.

Further the “publicity” must be made “to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.”

The court reasoned that there was no precedence for permitting the tort of invasion of privacy to proceed on the basis of negligent disclosure.

Accordingly, the court dismissed the invasion of privacy action because there was sufficient evidence to conclude that the disclosure was not intentional. The court further reasoned that the plaintiff’s case could not be maintained under negligence theory or breach of contract theory unless they could prove actual damages.

Although Doe bodes well for the institution, the individual licensed health professional may still be subject to an investigation and complaint by the health provider’s disciplinary subcommittee for the representative board of licensure for their negligent disclosure of PHI.

A complaint arising out of allegations of negligent disclosure of PHI may be brought under the Michigan Public Health Code, MCL 333.1101–333.25211, in at least two counts.

The first is an alleged violation of a general duty, consisting of negligence or failure to exercise due care, including negligent delegation to or supervision of employees or other individuals, whether or not injury results. 

The second is the allegation of incompetence, which is defined as “a departure from, or failure to conform to, minimal standards of acceptable and prevailing practice for a health profession, whether or not actual injury to an individual occurs.”