A group of Spectrum Health medical residents was recently exposed by local media photographing, and commenting on, patient’s body parts during surgery. They were taking photos of organs removed, while the patient was unaware and still on the surgery table and captioning them as a “Price is Right” game on Instagram.
Unfortunately, this terrible event is not the only example of hospital employees exposing patient’s private medical information:
- The Mayo Clinic made headlines when it was discovered that a Mayo health care worker accessed medical records of more than 1,600 patients, including images of body parts. Many of these patients filed suit in a class action lawsuit for invasion of privacy.
- An angry surgeon fired from UCLA Healthcare System in California accessed and read private patient records, including those of his boss and notable celebrities. He was charged criminally and was sentenced to jail.
- In another case, a hospital faxed medical information revealing HIV status to the mailroom of the patient’s employer, even though the patient had specified mail be directed to a PO Box.
- UCLA made the headlines over multiple breaches in which hospital employees snooped into the medical records of Britney Spears, Maria Shriver when she was California’s First Lady, and actress Farrah Fawcett.
- And with social media, the exposure of private medical information has changed. In 2010 a nurse posted on social media her thoughts about treating a patient for a gunshot wound. That patient had been accused of killing a police officer.
In 2020 alone, over 29 million records were reported as having been exposed.
What can you do if your medical information was exposed?
In Michigan, you may be able to sue the hospital for invasion of privacy. The tort of invasion of privacy protects against four types of invasion of privacy, including public disclosure of private facts. Matters concerning a person’s medical treatment or condition is generally considered private. To have a valid claim, a plaintiff must show (1) that private information was disclosed; (2) the disclosure would be highly offensive to a reasonable person, and (3) that the information is of no legitimate concern to the public. Additionally, the information must have been “published.” This generally means that it was disclosed to the public at large, or to so many people that it is substantially certain to become public knowledge. Sharing on a public Instagram page would seemingly satisfy the publicity requirement. (Depending on the facts surrounding the unauthorized disclosure, publication to only a single person may be enough to bring a lawsuit.)
Exposure of your private medical information, if done by an employee of health facility like a hospital, would also likely be a violation of HIPAA (Health Insurance Portability and Accountability Act). HIPAA requires health facilities such as doctor’s offices and hospitals to keep your medical information private.
A patient cannot sue a hospital in Michigan courts for violating HIPAA. The appropriate action would be to file a Complaint with the Office for Civil Rights (OCR). The investigative and potential settlement process is detailed and there are tight time constraints.