The University of Cincinnati Medical Center is at the center of a legal battle that is the nightmare of every healthcare organization corporate counsel. The allegation is that a financial services employee of the hospital accessed the detailed billing records of a patient with a sexually transmitted disease and deliberately and maliciously published those records on Facebook, taunting and ridiculing the patient.

The details behind the incident (which speaks to the motivation of the employee to do this) are sordid and involve a messy romantic situation. But the legal situation forces an even more uncomfortable question: If the threat of termination and possible civil and criminal legal charges does not stop employees from misusing sensitive patient information, what will?

Beyond money, the lawsuit is seeking changes in hospital procedures to prevent this from happening. But even the attorney filing the lawsuit, Mike Allen, a former county prosecutor, said he doesn't yet know what changes are possible or practical.

[See also: Better info governance is 'imperative'.]

Is it practical to limit financial services access to only cases that involve an active billing dispute? Does the nature of that position require access to all patient billing files? Neither the hospital spokesperson nor the attorney for the plaintiff were clear how the data was transmitted to Facebook. Was it a screen capture done from within the Windows operating system (the Prnt Scrn button) or was it photographed using a mobile phone's camera, snapping a picture of the display? The first kind of screen capture can be disabled by IT, but how can the mobile camera screen capture be prevented?

"We already have HIPAA policies in place. Very strict ones," said Diana Maria Lara, spokesperson for the University of Cincinnati Medical Center. "But it is impossible now with cell phones to monitor everyone who comes in and out of these doors. If there is a personal motivation to violate HIPAA rules, we're not going to know about it until after it's done."

That's actually the point of the attorneys for the plaintiff. Can hospital IT indeed do anything to prevent these data leaks before they happen? Beyond cash compensation, the lawsuit is seeking that the hospital make procedural changes to prevent this from happening again. But until lawyers go through discovery and depositions, they're not sure what changes they are seeking as it's not clear what the hospital's current procedures are.
But co-counsel Jason Phillabaum did say that the financial services employee—a woman named Ryan Rawls—should never have had access to his client's medical information. His speculation is that Rawls couldn't access it from her financial database and that an unidentified nurse accessed and forwarded the medical data that was leaked.

What if the hospital had a system, Phillabaum asked, where any such request had to be pre-approved by a supervisor? "It might be a situation where a supervisor would look at all requests every few hours," he said.

In the interest of not overly slowing operations, perhaps such a system could flag requests that seem unusual for the employee, much the way that credit card companies use software that spot purchases that violate the pattern of that shopper, Phillabaum suggested.

"We think (the University of Cincinnati Medical Center's) system is inappropriately protected," Phillabaum said.

{See also: Security: healthcare's fixer-upper.]

Allen said hospital officials' initial defense is that Rawls "was operating outside the scope" of her job with the hospital. But given that this activity happened during working hours, from her hospital desk, and that it was only possible given the hospital's computer access and the hospital's training of that employee, it's not clear how it was outside the scope. Clearly, her actions—if true—are beyond her job description, but that wouldn't clear the hospital of liability. It's what would create that liability.

In an unusual move for a major hospital in the beginning stages of a lawsuit, Cincinnati officials have conceded many of the most damning allegations of the litigation. "Our investigation revealed that the record had been accessed by a Financial Services employee who did not have a business reason to do so. The individual’s employment was terminated and we reported the incident to federal authorities. This occurred within days of the patient making us aware of this occurrence," said Lee Ann Liska, President and CEO of UC Medical Center. "We are outraged that anyone might misuse a position with UC Health to attempt to embarrass or cause harm to another person. This is contrary to our ethic and the training we provide to our associates and we took immediate action as a result. All associates have been reminded that the unauthorized access or viewing of medical records, or the unauthorized sharing of PHI, is a betrayal of that trust, and cause for immediate termination."

The incident—and the related termination—all happened last year, on Sept. 6, 2013, when a pregnant Shawntelle Turley was admitted as an inpatient at the University of Cincinnati Medical Center, where she was diagnosed and treated for syphilis, a sexually transmitted disease. She called the father of her unborn child, Raphael Bradley, according to the lawsuit, and told him she was in the hospital but she declined to say why.

To find out the diagnosis, he called Rawls, who was not only a hospital employee but also the mother of a different child of Bradley's. Rawls accessed hospital records about Turley and provided them to Bradley. Note: The hospital and the plaintiff disagree about how Rawls came to possess the medical records. The hospital suggests that Rawls accessed them on her own, whereas the plaintiffs argue that Rawls had help, and they suggest it was a hospital nurse who provided some of the details to Rawls.

After Bradley received the pictures of the records, the lawsuit said that he posted them on a Facebook group called "Team No Hoes." Many harshly-worded messages were then posted.

Regardless of the sordid details of the case, the University of Cincinnati Medical Center finds itself admitting that one of its employees gave hospital medical data to someone who had no medical need to have the data and that person used it to deliberately humiliate a patient. It's entirely possible that Rawls thought she was simply providing helpful information to someone she knew well who and, given the nature of the patient's ailment, might have even had a right to know. Plaintiff counsel said that Rawls might have had no idea that Bradley intended to post the information on Facebook.

That's why privacy rules exist. An employee might see it as perfectly reasonable to tell a sexual partner of a syphilis patient the nature of the ailment. But as this case vividly illustrates, once the data gets out, there is no way to control where and how it might be used. The hospital could be liable for the damage and much more. It's rare for a privacy incident to so perfectly showcase the dangers of weak data-protection strategies. And if IT tightens enough of those data security plans, perhaps such lessons will remain rare.