According to a Boston Globe article, Tufts Medical Center and one of its primary care doctors are being sued by a patient whose privacy rights were allegedly violated when her medical history was sent to a fax machine at her workplace without her consent. The patient, Kimberly White, was recovering from a hysterectomy this past December. While recovering, she asked Dr. Kimberly Schelling to fax a form to White’s employer that was required to receive disability payments. Instead, medical records were allegedly sent to a shared fax machine in the office, which resulted in White’s medical records being viewed by at least two co-workers. White claimed that this disclosure has caused her extreme embarrassment and the inability to show her face at work again. Tufts has not yet filed a response to the complaint, but the hospital maintains that they were in full compliance with the patient’s request to share the medical information.
The HIPAA Privacy Rule allows information to be disclosed pursuant to a patient’s authorization or as otherwise permitted by the HIPAA Privacy Rule. The Office of Civil Rights (OCR) has issued guidance stating that the use of fax machines are permissible so long as reasonable safeguards are taken to protect the information from unauthorized or impermissible disclosure. If you have questions regarding patient privacy or assistance with HIPAA compliance policies and procedures, please contact a Wachler & Associates attorney at 248-544-0888.