Proper Handling of Protected Health Information is a Grave Responsibility

I like to keep up on news related to information management in Coviant Software’s key industries, like healthcare, and came across a troubling story on lawyer Eric Goldman’s Technology & Marketing Law Blog over the holiday. The blog outlines a case in which an Indiana healthcare provider, Community Health Network, mailed a letter containing a patient’s diagnosis to the wrong person. The diagnosis was, apparently, a serious one, and for whatever reason, the individual who received the letter decided to post the letter on a Facebook page. Then that person demanded $100 from the patient before taking the letter down from the social media site and forwarding it.

So Much Wrong with the Story

There’s so much wrong with the story, starting with the healthcare provider’s decision to send the letter to the wrong individual. Seems it was not a matter of right name, wrong address, or a data entry error that resulted in transposed street numbers. According to Goldman, case documents say that “on October 5, [2018] the emergency department’s patient resource coordinator wrote a letter to Z.D. that was printed on Community letterhead and included her diagnosis and suggested treatment. The letter was placed in an envelope bearing Community’s preprinted return address and the handwritten mailing address” of an individual who was a classmate of the patient’s daughter.

It went downhill from there with the Facebook posting, demand for money, and a series of events that beset the patient’s’ personal life, including the emotional distress of learning about a sensitive diagnosis in a highly public manner. Goldman’s blog states the patients claims of the consequences she suffered included that: “her fiancé broke up with her, her fiancé ‘kicked her out of his house,’ she suffered a depression, she had to leave her job, and she lost several clients for her business.”

Let a Jury Decide

A lawsuit was filed against Community Health Network and, despite initial rulings in favor of the defense and, according to the legal website The Indiana Lawyer, an appellate court judge recently decided that “if Community wishes to argue that the fact it sent this extremely sensitive information to a classmate of [the patient’s] daughter was merely a coincidence, it is free to do so in front of a jury.”

At this point one has to wonder, “how does that even happen?” The series of errors that had to take place for a patient’s sensitive diagnosis to end up in a hand-addressed envelope to the wrong person who just happens to be the classmate of the patient’s daughter is boggling. I’ll not speculate, but the need for healthcare providers to manage a patient’s protected health information (PHI) is well-established under the Healthcare Information Portability and Accountability Act (HIPAA), which has been in effect since 1996.

People Deserve Dignity

Whether the letter was mailed as an act of gross negligence, with malicious intent, or a simple matter of human error, this case is a reminder that the costs of poor information security and data privacy practices often go well beyond the financial. When information is associated with individual human beings, lives can be affected in many ways. Great care must be taken to ensure that people are treated with dignity, and the processes used to manage that information must consider the possible consequences. The reputations at stake are, first and foremost, those of the people. Brand reputation is secondary.

It helps to make individuals tasked with managing sensitive information aware of the gravity of their responsibility, and to provide them with the tools and training required to help them meet those obligations. The use of information management tools that use process automation to minimize the risk of human error can play an important role. A secure, managed file transfer platform like Diplomat MFT may help. Contact us to learn more.