Privacy violations: Small breaches also pose danger but rarely addressed

In an era of increased concerns about patient privacy within the healthcare industry, most of the attention focuses on large-scale breaches; indeed, five such incidents this year compromised nearly 100 million private records. But this focus means smaller-scale breaches affecting only one or two patients often fly under the radar, according to Pro Publica

It seems counterintuitive, but larger-scale violations often lead to little in the way of actual harm. Smaller-scale cases, such as that of a New Jersey hospital employee who exposed data on an 11-year-old boy's suicide attempt, often have more immediate consequences, but federal authorities are slower to penalize them. In these cases, the federal Office for Civil Rights typically acknowledges the wrongdoing and pledges to correct any issues, often reminding the offending provider of the provisions of the Health Insurance Portability and Accountability Act (HIPAA), the article noted.  But the office does not publicize numbers for small breaches or which organizations are responsible for them.

Victims of HIPAA violations do not have the option to sue for damages, and their alternate options vary by state. For example, a woman whose human papillomavirus status was publicized on Facebook by a patient care technician at her local hospital was given a letter of apology that did not specify any disciplinary action. She eventually retained Neal Eggeson, an Indianapolis lawyer, who settled out of court with the hospital without suing.

"The vast majority of people who come through my door honestly are upset that no one has stepped up to the plate and said that what happened to you was wrong," Eggeson told Pro Publica. "If the healthcare provider isn't going to give them that satisfaction, then maybe a jury will."

Privacy violations on social media have become a controversial topic in recent years, with cases such as a New York City nurse fired for an Instagram post. In November, a judge ruled the hospital where one such employee worked was not responsible for the violation because the information was accessed outside of the employee's job duties, FierceHealthcare previously reported.

To learn more:
- read the report