County Posts Private
Medical Data Online
The private medical information, including Social Security numbers and treatment details of people who sought medical assistance from the county was posted on the Hidalgo County Website for nearly two months before county officials removed the private data Monday, according to a report in The Monitor.
The information was displayed online in documents linked to the Hidalgo County Commissioner’s meeting agenda and disclosed medical procedures, costs and the personal information of 25 indigent patients who received emergency room care between September 2003 and December 2004.
The media alerted officials of the situation and the information was taken offline but officials were stymied as to how the private information appeared on the County site in the first place.
Eduardo Olivarez, director of the county health and human services department, told reporters ‘he had no idea why the patients’ personal information was published on the Web.
“I’m not sure how it got there,” Olivarez said. “I apologize. I just don’t know how it happened.”
“The department is conducting an internal investigation into the matter,” he added.
Susan McAndrew, deputy director for health information privacy at the U.S. Department of Health and Human Services in Washington, D.C., said disclosure of an individual’s name or Social Security number violates federal health privacy laws.
“A covered entity may only use or disclose protected health information as permitted by the Rule — for example, to treat the patient, have the treatment paid for, or other business and administrative activities needed to operate the entity — or as authorized by the individual,” McAndrew said in an e-mailed statement to The Monitor.
Earlier this week, News for Public Officials published an alert issued by HIPAA Solutions, Inc. warning county officials that local government is subject to HIPAA privacy regulations.
Compliance with the Federal Health Information Portability & Accountability Act (HIPAA) is required of many public entities, including school districts and other local government entities such as counties or cities, if "Protected Health Information" (PHI) is involved in operations, according to the HIPAA Solutions advisory report.
HIPAA Solutions specializes in helping government officials understand and comply with HIPAA regulations.
In addition to the federal statute, the state Health and Safety Codes clearly addresses the relation of HIPAA to government and schools.
County public information officer Cari Lambrecht said the private information has been removed from the Website but said she didn’t know if county officials would notify the affected patients of the identity breach.
Paul Stephens with the Privacy Rights Clearinghouse, a California-based consumer rights group, said publishing the indigent patients’ Social Security information leaves them vulnerable to identity theft.
While the compromised data belonged to low-income residents, identity thieves use stolen Social Security numbers to open fraudulent credit card accounts or sign up for cell phone contracts. Identity thieves can also use the breached data to fraudulently receive medical care or other government services in the victim’s name. Some criminals use their victim’s identity to commit other crimes causing unaware victims to be arrested for crimes they know nothing about.
McAndrew said people who believe their private health care information has illegally been made public should file a complaint with the HHS Office of Civil Rights by calling 1-800-368-1019.
If you have a similar problem and would like to have your possible case evaluated by a lawyer at no cost or obligation, please click the link below.