Since news broke this week that employees at St. Mary’s Regional Medical Center in Lewiston created a “wall of shame” of patients with disabilities in 2015 and 2016, the hospital’s parent companies have issued an apology and said those involved were disciplined. But they have been silent on steps they may have taken to notify regulators and affected patients.
Federal law requires health care organizations to tell patients when their information is inappropriately disclosed. Karen Sullivan, vice president of corporate communications for Covenant Health, a Catholic nonprofit based in Massachusetts that owns St. Mary’s, did not respond to a question posed Wednesday, and again Friday morning, about whether the hospital had alerted the patients whose records were posted on the wall of shame.
Those records, which had been cut out and fashioned on the inside of a cabinet door, “included information detailing patients’ sexual activity, genital dysfunction, bowel movements, bodily odors and other personal maladies,” according to a report by an investigator for the Maine Human Rights Commission.
MyKayla McCann, who worked at the hospital as a laboratory technician assistant starting in June 2015, later reported the wall, in addition to the inappropriate disclosure of her own private medical information, to administrators in 2016.
Then she filed a complaint with the human rights commission in February 2017, which found reasonable grounds to believe that St. Mary’s discriminated against McCann, who has a disability, when it subjected her to a hostile environment created by her coworkers’ conduct. In addition to creating the wall, at least two employees looked at the private medical records of McCann, whom the hospital had previously treated, and used the information to mock her, she said.
Verne Paradie, McCann’s attorney, said Friday that her “claims have been fully resolved.” He declined to elaborate further on the apparent settlement.
In her complaint to the commission, McCann included pictures of the wall. They showed some identifying details such as order numbers, the exact time of a triage assessment, dates of birth and diagnoses. People’s addresses had been blacked out, and not all the text on the wall of shame is discernible from the submitted photos.
Sullivan did not respond to questions about how many individual people’s records were depicted, or whom people should call if they wanted to know if their records or a loved one’s had been part of it.
She also did not respond to questions about whether the hospital has made any specific changes to the way it handles patient information or trains staff, or whether anyone has filed a complaint with the Office for Civil Rights within the U.S. Department of Health and Human Services. That’s the agency responsible for enforcing the Health Insurance Portability and Accountability Act, or HIPAA, which prohibits the names of patients and their medical records from being disclosed without permission. Maine law also protects the confidentiality of medical records.
Rachel Seeger, senior advisor for public affairs and outreach at the Office for Civil Rights, said the agency “does not comment on open or potential investigations.”
There are some exceptions that allow providers to use patients’ information without their authorization, such as to further their treatment, but they don’t apply to a wall of shame, said Ezra Reinstein, founder of The Reinstein Law Firm in Framingham, Massachusetts, which represents medical professionals and practices.
“If it’s not within the treatment exemption, you either can’t do it, or you have to confine your use of the information to what’s called the ‘minimum necessary amount,’ the minimum standard under HIPAA.” he said. “It was not treatment based. It was socializing. It was shaming. Even if it could be called hospital operations, which is a different standard, this is not the minimum necessary information to accomplish any legitimate goal.”
“It’s absurdly offensive. It’s no way that a hospital should be operating anywhere in the country in this day and age — or any time. It’s horrendous,” Reinstein said.
A hospital is supposed to inform people of privacy breaches as soon as possible, he said. If it’s not immediately clear which patients were affected, it’s supposed to make an effort to find out.
“It has to do pretty much anything it can. It can’t just get off the hook by saying it’s too hard to figure out,” Reinstein said.
Dennis Melamed, an adjunct professor at the Drexel University College of Medicine in Pennsylvania and a health data privacy and security consultant, said he has heard of many different types of health information violations, but “this is one of the most bizarre.”
Beyond being required, people should know about breaches because they “have a right to know about how their data is being handled by the people they trust. The whole notion of health data privacy is based on trust between the health care provider and the patient,” Melamed said. A wall of shame “just compromises trust across the whole continuum of health care authority.”
Health care organizations must follow specific steps when patients’ information is inappropriately disclosed. The following comes from the U.S. Department of Health and Human Services:
Contacting those whose information was violated
— Health care organizations are required to notify people affected by a privacy breach. If the organization has out-of-date contact information for 10 or more people, it must post a notice about the violation on the home page of its website for at least 90 days, or ask major print or broadcast media to publish the news. It must include a toll-free phone number for people to call and learn if their information was involved in the breach.
— If the health care organization has out-of-date contact information for fewer than 10 people, it may alert people of the breach through a written notice, telephone or other means.
— Health care organizations have to notify patients “without unreasonable delay” and definitely no later than 60 days following the discovery of a breach. The notifications must include, when possible, a brief description of what happened, what types of information were involved, the steps people can take to protect themselves, and a description of what the organization is doing to investigate the breach, mitigate harm and prevent further breaches.
Notifying the federal government
— If a privacy violation affects 500 or more people, health care organizations must notify the federal government “without unreasonable delay,” and definitely within 60 days.
— If a breach affects fewer than 500 people, the health care organization may notify the federal government on an annual basis. The reports are due no later than 60 days after the end of the calendar year in which the breaches were discovered.
— After an organization notifies it of an unauthorized disclosure, the Office for Civil Rights within the U.S. Department of Health and Human Services can decide to investigate what happened. Depending on the investigation’s findings, health organizations could be fined or required to make changes to bring them into compliance.
— If people believe that a health care organization violated their, or others’, health information privacy rights, they may file a complaint with the Office for Civil Rights. But they generally have to do it within 180 days of the violation.
If you received a notification that there was a breach of your private medical information at St. Mary’s Regional Medical Center or elsewhere, we invite you to let us know at firstname.lastname@example.org.