Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

HIPAA case studies: misguided mistakes and egregious errors

Michael J. Sacopulos, JD
Social media
March 7, 2019
Share
Tweet
Share

An excerpt from Tweets, Likes,and Liabilities: Online and Electronic Risk to the Healthcare Professional.

When it comes to HIPAA violations, there are, sadly, plenty of examples available to serve as cautionary tales. Some seem like innocent mistakes that just about anyone could make. Others are so egregious that those involved appear to be willfully inviting the wrath of regulators and malpractice attorneys. Unfortunately, some people assume that any post that does not include the patient’s name or photograph is a safe post. As we will see, that is a false and dangerous assumption. The following examples of HIPAA violations over the years offer valuable lessons for anyone dealing with patient privacy issues in the digital age.

Before and after

Because purely cosmetic procedures are not typically covered by health insurance, plastic surgery practices often need to market their services more aggressively than other providers. This often means posting patient “before and after” photos in order to showcase a surgeon’s results. Doing so can place the provider in the center of a digital minefield, where slip-ups can result in lawsuits and HIPAA violations. Mandi Stillwell, a San Francisco photographer, was stunned when a man she met on an online dating site informed her that his Google search of her name had turned up photographs of her bare breasts. Stillwell had undergone plastic surgery in Fresno and had agreed in writing to let Dr. Enraquita Lopez photograph her and use the images to market the practice. However, the agreement stipulated that if images of her results were used, Stillwell would remain unidentifiable. The photographs showed only her torso. Stillwell filed suit against Dr. Lopez. In court, Dr. Lopez’s lawyer explained that the doctor and her staff had made a mistake and accidentally placed identifiable photos of Stillwell on the internet. The photos were removed as soon as the doctor was made aware of them. The jury found in favor of Stillwell, and she was awarded an $18,000 settlement. Of course, just because the doctor had the photos removed from the internet does not mean they will not reappear. Any viewer with a computer could have copied them and could repost them at any time.

Even when a provider is confident that photos it has posted make it impossible to identify a patient, the digital world can prove them wrong. In one case, otherwise anonymous photos were posted on a practice’s website in such a way that clicking on the photos revealed their digital file names, which included the patients’ names. You must be aware of hidden or semi-hidden information in digital photos and other files and always make sure that all patient identifiers are removed.

To modify a line from Thomas Jefferson, the cost of patient privacy is eternal vigilance.

An inside job

An employee who unintentionally creates a HIPAA breach is bad enough, but a rogue employee who willfully creates them is every practice’s worst nightmare. Some employees can’t resist snooping in medical records; others go much further. Consider the case of a high-end plastic surgery practice located on Beverly Hill’s posh Rodeo Drive. A contract employee who started out as a driver and translator was soon given other duties, including data entry. Things went bad very quickly. Just six months after the employee started, the practice confronted her about missing funds. She quit but claimed she could not return her company phone because she had lost it. The practice was able to recover the phone when the ex-employee was caught trespassing at a facility that stored patient records. According to the office manager, the former employee had been surreptitiously photographing and videoing patients and procedures, patient records, and credit card numbers. It also appears the employee may have been responsible for a burglary at the practice, during which a large amount of data was downloaded to a hard drive and paper records were stolen. Some patients began receiving threatening and harassing phone calls and emails. As of this writing, the Los Angeles Sheriff’s Department is conducting an ongoing investigation.

Obviously, you should screen and background check employees carefully to help prevent “inside jobs.” And every employee should be thoroughly trained and know the boundaries that apply to their position. What’s more, you should be monitoring data access to ensure that no one is viewing, printing, or downloading any information that is beyond the scope of their duties. Doing so allows you to spot irregularities early on and deal with them in a timely manner.

Michael J. Sacopulos is a health care attorney and co-author of Tweets, Likes,and Liabilities: Online and Electronic Risk to the Healthcare Professional.

Image credit: Shutterstock.com

Prev

How to prevent ski injuries: tips from an orthopedic surgeon

March 7, 2019 Kevin 0
…
Next

To parents who have lost children: We never forget your children

March 7, 2019 Kevin 8
…

Tagged as: Practice Management, Twitter

Post navigation

< Previous Post
How to prevent ski injuries: tips from an orthopedic surgeon
Next Post >
To parents who have lost children: We never forget your children

ADVERTISEMENT

Related Posts

  • 3 surprising links to medical errors

    Health eCareers
  • How should physicians hear back about their diagnostic errors?

    Ashley Meyer, PhD and Hardeep Singh, MD, MPH
  • Medical errors? Sorry, not sorry.

    Iris Kulbatski, PhD
  • The case of HIPAA, an orthodontist, and Black Panther’s Michael B. Jordan

    Davis Liu, MD
  • 5 common and commonly overlooked mistakes in the medical school interview 

    Rajani Katta, MD
  • Made mistakes? How to spin them for your medical school applications.

    Michelle Finkel, MD

More in Social media

  • First impressions happen online—not in your exam room

    Sara Meyer
  • What teenagers on TikTok are saying about skin care—and why that’s a problem

    Khushali Jhaveri, MD
  • How social media and telemedicine are transforming patient care

    Jalene Jacob, MD, MBA
  • How DrKoop.com rose and fell: the untold story behind the Surgeon General’s startup

    Nigel Cameron, PhD
  • How I escaped the toxic grip of social media

    Dr. Damane Zehra
  • Why doctors must fight health misinformation on social media

    Olapeju Simoyan, MD
  • Most Popular

  • Past Week

    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • How New Mexico became a malpractice lawsuit hotspot

      Patrick Hudson, MD | Physician
    • Why doctors are reclaiming control from burnout culture

      Maureen Gibbons, MD | Physician
    • Why medical schools must ditch lectures and embrace active learning

      Arlen Meyers, MD, MBA | Education
    • Why public health must be included in AI development

      Laura E. Scudiere, RN, MPH | Tech
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • Why flashy AI tools won’t fix health care without real infrastructure

      David Carmouche, MD | Tech
  • Recent Posts

    • Why medical schools must ditch lectures and embrace active learning

      Arlen Meyers, MD, MBA | Education
    • Why helping people means more than getting an MD

      Vaishali Jha | Education
    • How digital tools are reshaping the doctor-patient relationship

      Vineet Vishwanath | Tech
    • Why evidence-based management may be an effective strategy for stronger health care leadership and equity

      Olumuyiwa Bamgbade, MD | Physician
    • Why health care leaders fail at execution—and how to fix it

      Dave Cummings, RN | Policy
    • Residency match tips: Building mentorship, research, and community

      Simran Kaur, MD and Eva Shelton, MD | Education

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

View 1 Comments >

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

  • Most Popular

  • Past Week

    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • How New Mexico became a malpractice lawsuit hotspot

      Patrick Hudson, MD | Physician
    • Why doctors are reclaiming control from burnout culture

      Maureen Gibbons, MD | Physician
    • Why medical schools must ditch lectures and embrace active learning

      Arlen Meyers, MD, MBA | Education
    • Why public health must be included in AI development

      Laura E. Scudiere, RN, MPH | Tech
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • Why flashy AI tools won’t fix health care without real infrastructure

      David Carmouche, MD | Tech
  • Recent Posts

    • Why medical schools must ditch lectures and embrace active learning

      Arlen Meyers, MD, MBA | Education
    • Why helping people means more than getting an MD

      Vaishali Jha | Education
    • How digital tools are reshaping the doctor-patient relationship

      Vineet Vishwanath | Tech
    • Why evidence-based management may be an effective strategy for stronger health care leadership and equity

      Olumuyiwa Bamgbade, MD | Physician
    • Why health care leaders fail at execution—and how to fix it

      Dave Cummings, RN | Policy
    • Residency match tips: Building mentorship, research, and community

      Simran Kaur, MD and Eva Shelton, MD | Education

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

HIPAA case studies: misguided mistakes and egregious errors
1 comments

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...