Patient data security nightmare—coming to a courtroom near you

February 8, 2001

One of healthcare's worst security nightmares was played out in a mock trial at the HIMSS meeting this week. In the dock before an actual jurist in the lighthearted, though sobering, session was the fictitious Grits Healthcare System and its equally

One of healthcare's worst security nightmares was played out in a mock trial at the HIMSS meeting this week.

In the dock before an actual jurist in the lighthearted, though sobering, session was the fictitious Grits Healthcare System and its equally fictitious information security manager, sued by attorney Alan Goldberg for invasion of his client's privacy.

Goldberg's client, Jane Doe, claimed that Grits Healthcare was negligent in the disclosure of individually identifiable health information that was supposed to kept confidential. Doe sought damages in connection with the consequences suffered in her personal life as the result of the privacy breach.

The suit claimed that a Grits employee, Jane's sister-in-law Mary, disclosed to Jane's then husband that Jane had visited a Grits outpatient clinic for a pregnancy test a year ago. Mary, who worked as a senior accounts analyst in the clinic's accounting department, had seen Jane's electronic medical record while testing a new computer accounting system.

Mary was more than a little shocked to see that Jane had taken a pregnancy test, since she knew that her brother had undergone a vasectomy more than five years earlier - and could therefore not have been paternally responsible for Jane's pregnancy.

Mary related this juicy bit of information to her brother, who filed for divorce less than a month later.

In his opening remarks, Goldberg said his client's life, her entire existence, had been "unfortunately and horribly damaged forever" by the actions of this "miserable excuse for an information services professional."

He also claimed that Grits had neither a formal nor consistent policy in place to sanction employees who breached confidentiality policies.

"This defendant and his staff knew what needed to be done to protect my client's information, yet they did not do it," he said.

The mock trial was held to dramatize the stark realities surrounding the issue of data security in the hypersensitive environment swirling about the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any healthcare information manager can be sued for violating the security, confidentiality, and privacy of a patient's medical records.

After questioning the defendant about the process of developing and applying procedures controlling confidentiality of patient data, Goldberg closed by asking about the implications of HIPAA.

"Had you protected the confidentiality, privacy, and security in accordance with the Act, had you imposed the procedures, had you limited information to minimally necessary, had you had software and hardware solutions, would this circumstance have occurred?" he asked the defendant.

The defendant admitted that if Grits had done everything that HIPAA requires, this probably would not have occurred.

Goldberg then rested, asking for a verdict in favor of the plaintiff, considering the admission by the defendant that there existed "sufficient data, information, material, procedures, and inspiration following the 1996 enactment of HIPAA" to have avoided the entire incident.

The judge then asked the jury - an audience of healthcare information professionals - to decide the case on a preponderance of evidence of liability.

"In order to find the defendant liable, you must find that he failed to take such action as a reasonable information security professional would have taken under the same circumstances to protect privacy, confidentiality, and security," the judge said.

By a voice vote of about two to one, the defendant was found "not liable" and released.