Sexual Assault Victim Sues Hospital for Allegedly Disclosing PHI to her Attacker

A sexual assault victim has filed a lawsuit against a Kansas hospital for disclosing her private health information to her attacker. The then proceeded to harass her for weeks following the initial assault.

The woman sought medical treatment from Atchison Hospital in Kansas following a sexual assault. After undergoing a rape-kit exam, she claims that an x-ray technician accessed her medical information and contacted her attacker, informing him that he was being accused of rape. The victim claims that she made it clear to hospital staff that she did not wish any of her information to be disclosed to third-parties following her examination. Aside from being against the patient’s wishes, the disclosure is a clear violation of HIPAA’s Privacy Rule.

After being informed of the victim’s hospital visit, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff.

“Such communications were highly threatening and contained graphic language and pornographic content,” the court papers claim. “The assailant also stalked Plaintiff in public and at her home. The harassment escalated to violence when, approximately six months later, Plaintiff was sexually assaulted by the same man a second time.”

Initially, the victim filed a complaint with the hospital over the privacy violation. An internal investigation was launched. The medical records system was checked to determine whether there had been any unauthorised accessing of her medical records and interviews were conducted with staff members.

Although investigators failed to find evidence to suggest the woman’s electronic medical records had been accessed inappropriately, the hospital concluded the X-ray technician had viewed the woman’s medical information in the hospital’s health information department.  As the x-ray technician had no direct care relationship with the patient, she did not have the authorisation to access her files and therefore violated HIPAA.

The hospital apologised for the privacy breach and reviewed an updated its policies and procedures to reduce the risk of further incidents such as this occurring.

The X-ray technician was fired from the hospital over the privacy violation and was subsequently hired by Saint Luke’s Cushing Hospital. According to the patient’s attorneys, Cushing hospital was not informed of their new employee’s conduct previous conduct. The patient’s attorneys claim the hospital did not do enough to communicate the reason for termination to the woman’s potential new employer.

Hospital CEO, John Jacobson stated to the Atchison Globe, saying “Patient confidentiality at Atchison Hospital and our ability to protect personal information is a top priority of ours… we are deeply disturbed by the actions of this former employee. In fact, when we were made aware of this situation, we took immediate steps to investigate and within two days, we terminated this individual’s employment.”

In the lawsuit, Atchison Hospital is accused of having inadequate policies in place to protect against the unauthorised accessing of patient information. It further claims that the hospital was negligent, there was an invasion of the patient’s privacy, and the hospital breached its fiduciary duty. The woman is seeking at least $75,000 on each count of invasion of privacy, breach of fiduciary duty and negligence, as well as punitive damages, according to the lawsuit.