McAlester Hospital Sued Over Impermissible Disclosure of PHI and HIPAA Violation

Dennis and Wayne Russell’s adopted two-year old son Keon died in a tragic swimming pool accident. Shortly after the child was admitted to McAlester Regional Health Center, the Russells received a phone call from the birth mother who made numerous threats against the family. Due to the seriousness of the threats, the couple had to file a protective order against the birth mother.

When the birth mother was asked how she had found out about the accident she said she had been contacted by the hospital, however, the phone call should never had been made. The Russells first took care of Keon when he was only two weeks old and the adoption papers were signed in July 2015. Under the terms of the adoption, the birth mother relinquished all parental rights.

The Russells filed a lawsuit against the hospital over the disclosure of their son’s health information. The couple are seeking $150,000 in damages for the “extreme emotional distress” they experienced from having to deal with their son’s birth mother. In the lawsuit it is alleged that multiple HIPAA violations occurred at the hospital.

It is claimed that multiple hospital workers accessed Keon’s medical records without authorization including workers in the hospital cafeteria. The hospital had granted access to its EHR system to a food service section worker to allow her to check whether patients had diabetes, to view their dietary requirements, and to find out their room numbers.  Allegedly, the worker wrote down her login credentials on a sticky note and posted them on a computer so that others could use them to access the EHR system and had been instructed to do so by her superiors.

According to the EHR access logs, the food service worker’s credentials were used to access Keon’s medical records multiple times on the day of his admission, despite the fact the worker wasn’t on duty that day. The access logs indicated multiple workers had viewed Keon’s medical records, including labor and delivery department records.

While the lawsuit alleges HIPAA violations, it is not possible to sue for a healthcare provider for a HIPAA violation. Only the Department of Health and Human Services’ Office for Civil Rights and state attorneys general have the authority to take legal action against HIPAA-covered entities for HIPAA violations. There is no private cause of action in HIPAA.

Instead of the violations of federal law, the lawsuit alleges the hospital violated state laws including Oklahoma’s medical records statute and was negligent for failing to protect Keon Russell’s privacy. A jury trial has been penned for January 2019.