Ms. D, age 48 years, was a nurse in the neurology department of a large medical center. She had been employed by the medical center for 5 years. Although divorced, she maintained a close relationship with her ex-husband, Joe, who worked at the same place as a technician in the emergency department. Joe was battling advanced-stage multiple myeloma and was being treated at the medical center where the two worked.
When Joe was diagnosed, he and Ms. D talked about his prognosis, his concerns about the future, and his treatment. He knew that he was facing an uphill battle, and he needed support from Ms. D.
“I will be there for you no matter what,” she reassured him. “Whatever you need … I’m here.”
And indeed, over the past year, Ms. D had been extremely involved in Joe’s care. She accompanied him to medical appointments, saw him through hospitalizations and a stem cell transplant, and helped him manage his medication regimen.
To facilitate Ms. D’s involvement in his care, Joe executed a number of documents that would provide Ms. D with the authority to gain access to his medical records. These documents included a durable power of attorney, an advanced medical directive, and an authorization form from the medical center itself.
Toward the end of the year, Joe’s condition worsened. The medication he was taking was affecting his ability to understand complex medical issues and he was becoming confused. He was also experiencing weakness, tremors, and impaired vision. Typing and using a computer had become increasingly difficult for him. In desperation, he called Ms. D for help.
He explained that he did not understand the significance of his latest lab results and asked Ms. D if she would look at his records and help him understand them. Ms. D, who had far more medical training than Joe, was happy to help him.
Over the next 3 months, Ms. D used her employee code to access Joe’s records 4 times. The medical center provided each employee with an individual access code to the computer system so that it could monitor what the employees were accessing. Ms. D pulled up Joe’s records and on each occasion, she was able to help explain them to him or answer a question that he had.
A few weeks later, a fellow employee mentioned to Ms. D that she had heard that the medical center was going to be auditing its computer records, and Ms. D did not give it a second thought. When the medical center itself sent a memo advising employees of the audit and stressing the medical center’s strong commitment to patient privacy, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and HIPAA’s Privacy Rule, Ms. D was not concerned.
That changed when she arrived at work the week following the audit. Within 10 minutes of clocking in, Ms. D was summoned to human resources, where several other confused-looking employees sat quietly in the waiting room. When she was called into the supervisor’s office, she began feeling uneasy, although she knew she had not done anything wrong.