A sexual assault victim filed a lawsuit against Atchison Hospital in Kansas because allegedly a hospital x-ray technician shared sensitive data to her attacker regarding her treatment at the hospital.
As per the Kansas City Star, the woman received hospital treatment after being raped. She had a rape kit examination and clearly told the hospital not to disclose her medical data to third parties.
In spite of the patient’s instruction, a female X-ray technician revealed the data of her examination to her attacker violating the HIPAA Privacy Rule. The x-ray technician additionally informed the man that the patient accused him of sexual assault.
After the information disclosure, the attacker repeatedly bothered the patient for several weeks and threatened her by telephone and text message. Besides getting a barrage of abuse from the attacker, the lawsuit alleges the hospital staff also harassed the woman.
After filing a privacy violation complaint with the hospital, an internal investigation was started. The medical records system was inspected to find out if there was unauthorized access of her medical records and staff members were interviewed.
There was no evidence found that suggest the inappropriate access of the woman’s electronic medical records, however, the hospital deduced the X-ray tech had seen the woman’s medical data in the health information department of the hospital. The hospital affirmed that the X-ray tech was not on her care team and did not have the authorization to see her medical information.
The hospital apologized to the woman for the privacy violation. It also reviewed its policies and procedures and updated it as needed to minimize the risk of the occurrence of similar incidents.
The X-ray tech was terminated from the hospital because of the privacy violation and was later employed by Saint Luke’s Cushing Hospital. As per the patient’s lawyers, information about the previous employee’s conduct was not made known to Cushing Hospital and a good review was given. The patient’s lawyers claim the hospital didn’t disclose the rationale for the employee’s termination to the prospective new employer.
Hospital CEO John Jacobson made a statement that the hospital prioritize patient confidentiality and the protection of personal information. The actions of the former employee was disturbing, hence, the hospital has taken immediate actions to investigate and terminated the employee within two days.
The lawsuit charges the hospital for having insufficient policies to protect patient information against unauthorized access and alleges the hospital of negligence, hence, there was an invasion of patients’ privacy. The hospital violated its fiduciary duty. The lawsuit is seeking punitive damages.