Hospital named in complaint over privacy

Published 12:00 am Monday, July 25, 2011

By Emily Ford
Rowan Regional Medical Center will undergo voluntary corrective action next month after a former patient filed a privacy complaint against the hospital.
Federal investigators found no violation of patient privacy rights. But employees in the Rowan Regional departments implicated in the complaint will undergo training on safeguarding medical re-cords, confidentiality and more, according to the U.S. Department of Health and Human Services Office for Civil Rights.
The hospital departments named in the complaint were not disclosed by the Office for Civil Rights, which investigated the HIPAA Privacy Rule complaint filed Aug. 26 by former patient Jennifer Alexander.
HIPAA is the federal Health Insurance Portability and Accountability Act.
Alexander alleged that Rowan Regional inappropriately used and disclosed her protected health information and a hospital employee harassed her and her family.
Separate from the complaint, Alexander also has filed a civil lawsuit against the hospital, Novant Health and two hospital employees for negligence, defamation, slander and invasion of privacy. Novant owns Rowan Regional. The two employees are not being named because they have not yet been served with the lawsuit.
Alexander referred questions to her attorney.
A hospital spokeswoman said Rowan Regional officials are unable to comment on pending litigation.
During the HIPAA investigation, the Office for Civil Rights “did not find any indication” that Rowan Regional improperly accessed or disclosed Alexander’s protected health information, said Rachel Seeger, spokeswoman for the federal office.
The audit trail of Alexander’s medical record did not show any hospital employees inappropriately accessed her protected health information, and the investigation did not reveal any indication the hospital retaliated against Alexander for filing a Privacy Rule complaint.
“However, due to evidence OCR gathered during its investigation, the covered entity performed certain actions to ensure continued compliance with the Privacy Rule,” Marlene Rey, deputy regional manager for the Office for Civil Rights, said in a letter to Alexander and Rowan Regional Privacy Officer Campbell Tucker.
Seeger said her office could not disclose what evidence led to the hospital’s voluntary corrective actions.
“The corrective actions suggest that things are less than squeaky clean there,” said Alexander’s attorney, Richard Rutledge Jr. of Winston-Salem.
Rutledge said he has requested the investigation file from the Office for Civil Rights to determine the depth and breadth of the inquiry.
In part, the investigation relied on employees’ denial that they had accessed or disclosed Alexander’s protected health information.
“The fact that the investigation found no admission of disclosure is far from surprising,” Rutledge said. “Obviously, not everyone who shared information is going to admit it.”
The investigation also relied on the hospital’s audit trail of Alexander’s medical record. Rutledge said he needs to know more about how Rowan Regional oversees and maintains the audit trail, which is a way of tracking who is looking at medical records.
The hospital would not give details about the audit trail.
“Although we cannot comment on specific methodology used for conducting audit trails, we can share that we comply with federal laws that require healthcare providers to have the ability to produce audit trails for access to patient records,” spokeswoman Robin Baltimore said.
The finding by the federal investigation of no HIPAA Privacy Rule violations does not affect Alexander’s civil lawsuit against the hospital, Rutledge said.
“Different proceedings have different standards of proof they need to meet,” Rutledge said. “I don’t know what legal standard OCR uses.”
Even though Alexander’s allegations did not meet the definition the Office of Civil Rights uses for a violation of the Privacy Rule, “that doesn’t necessarily mean there wasn’t disclosure” of her protected health information, Rutledge said.
Hospital training will take place in February, focusing on the role of the privacy officer, safeguarding protected health information, disclosing protected health information, confidentiality and a review of the hospital’s policies and procedures regarding access to protected health information.
The hospital will not disclose which departments will undergo corrective action, Baltimore said.
“Training of our workforce is always valuable to help our employees provide the best care possible,” Baltimore said in an e-mail to the Post.
“Every Rowan Regional Medical Center employee is educated about privacy rules during new employee orientation, and every employee receives annual training on the importance of protecting the privacy of our patients,” she said.
HIPAA investigations are unusual.
This marks the second time the federal government has accepted and investigated a HIPAA Privacy Rule complaint against Rowan Regional, according to the Office for Civil Rights.
A 2007 investigation also resulted in corrective action but no fines or penalties, said Seeger, the spokeswoman for the federal office.
The Office for Civil Rights has closed the investigation.
“Based upon our investigation, all matters raised by this complaint at the time it was filed have now been resolved through the voluntary compliance and corrective actions of the covered entity,” Rey said in the letter.
The determination “applies only to the allegations in this complaint that OCR reviewed,” she said.
Since April 2003, the U.S. Department of Health and Human Services has received more than 56,754 HIPAA Privacy Rule complaints. Most were declined for investigation. About 12,000 were accepted for investigation and enforcement. The government found no violation in 6,500 cases.
In North Carolina from April 2003 to December 2009, 61 percent of complaints were closed after intake or review, 17 percent had no violation and 22 percent had corrective action.
Alexander filed her lawsuit against the hospital Dec. 30 in Forsyth County Superior Court. Novant Health is based in Winston-Salem.
The six causes of action in the suit include negligence, negligent retention and supervision of employee, negligent or reckless infliction of severe emotional distress, intentional invasion of privacy, defamation-slander and breach of parents’ duty to supervise minor children.
Defendants have 30 days to file a response after they are served.
“It is important to remember that a complaint is only one side of the story,” Baltimore said. “Equally important to remember is that anyone can file a lawsuit, but filing a lawsuit does not imply that the suit has merit.”
Alexander is asking for punitive and compensatory damages exceeding $10,000 from each defendant, as well as a restraining order and injunction preventing the defendants from disclosing or disseminating any of her confidential health records.
Contact reporter Emily Ford at 704-797-4264.