Long-time readers may remember the case of Nina Yoder, a nursing student who was expelled from the University of Louisville School of Nursing [SON] in 2009 for allegedly breaching the honor code and confidentiality agreements she had signed by her posts on MySpace. A district judge had ordered her reinstatement in August 2009, and Yoder eventually graduated from the program, but it seems the part of her lawsuit dealing with damages and constitutional issues of free speech and due process had not been addressed and remained in the courts.
The question of what nursing or medical students or staff can say online that might be subject to disciplinary action is an important one, as it may pit notions of protected speech against an entity’s or employer’s legitimate concerns about disclosures. The issue also raises questions about whether online speech during off-duty hours on one’s own computer can be subject to disciplinary action. Since the time this case first arose, a number of schools have attempted to regulate off-campus online speech in attempts to deal with cyber-bullying. But what about adults disclosing information learned on the job or in their internships or rotations if they’ve signed a confidentiality agreement?
In an opinion issued by the Sixth Circuit Court of Appeals on the free speech claim, the court notes the absence of relevant precedent:
In addition, both parties rely heavily on Supreme Court cases that govern student speech standards, none of which considers the unique circumstances posed here. Yoder has not identified any case—nor are we aware of any—that undermines a university’s ability to take action against a nursing (or medical) student for making comments off campus that implicate patient privacy concerns. Defendants have legal and ethical obligations to ensure that patient confidentiality is protected, and that nursing students are trained with regard to their ethical obligations. See, e.g., Ky. Rev. Stat. § 314.031(4)(d), (k); id. § 314.111. Yoder gained access to the Patient through the SON’s clinical program, and patients allow SON students to observe their medical treatment in reliance on the students’ agreement not to share information about their medical treatment and personal background. Under such circumstances, Defendants could not “fairly be said to ‘know’ that the law forb[ids] [discharging a student under these circumstances].” Harlow, 457 U.S. at 818.
You can read the full opinion here (pdf). They do not seem to reach the issue of whether Yoder’s speech was protected speech, but analyze whether the university officials had reasonable grounds to believe that Yoder had waived any First Amendment rights because she had signed the confidentiality agreement and other documents.
O’Ryan Johnson reports:
Police, fire and EMS unions are accusing the Boston Public Health Commission of going behind the backs of bombing victims to collect private medical ?information about those who sought “primary care and other outpatient” help days and weeks after the bombings.
The commission has sent letters to 13 area hospitals and 25 health clinics seeking the data.
The move has outraged the city’s first responders — some whom are only now seeking help themselves with mental health issues — who argue the search ?exposes a victim’s confidential medical information without consent.
Read more in the Boston Herald.
I can understand that a government agency may want to/need to know about the scope of public health needs, but this is not the way to do it. You can ask, but should not demand providers turn over patients’ names, birthdays, addresses, cellphone numbers, chief complaint and diagnoses of victims.
Is the city exempt from HIPAA under these circumstances? I’m not sure, but I don’t think this is the way to do things.
Shirie Leng, M.D., writes:
I am affiliated with the institution where Dzhokhar Tsarnaev is currently hospitalized. I am friends with people who have treated him. I’m trying to stay away from those people; I would be unable to help asking them about him. They might be unable to help talking about him.
There has been a flurry of emails and red-letter warnings cautioning people here not to talk about Mr. Tsarnaev or look him up on the EMR (electronic medical record) system. Despite this, there have been leaks of information and photos from various sources. It is virtually impossible to keep people from asking about him and talking about him. Curiosity is human nature. When human nature comes up against morals and laws, human nature will win a good percentage of the time.
Read more on KevinMD.
The issue of how easy – or difficult – it might be to re-identify “de-identified” data is crucial to discussions of using PHI in research. Jane Yakowitz writes:
Last week, a Forbes article by Adam Tanner announced that a research team led by Latanya Sweeney had re-identified “more than 40% of a sample of anonymous participants” in Harvard’s Personal Genome Project. Sweeney is a progenitor of demonstration attack research. Her research was extremely influential during the design of HIPAA, and I have both praised and criticized her work before.
Right off the bat, Tanner’s article is misleading. From the headline, a reader would assume that research participants were re-identified using their genetic sequence. And the “40% of a sample” line suggests that Sweeney had re-identified 40% of arandom sample. Neither of these assumptions is correct. Even using the words “re-identified” and “anonymous” is improvident. Yet the misinformation has proliferated, with rounding up to “nearly half” or “97%.”
Here’s what actually happened:
Read more on Info/Law.
Regular readers may recall the frustration I reported when calls to Uniontown Hospital to alert them to a security breach went unanswered. I’m not the only one who can’t get a response when a response might be in the entity’s best interests. Consider this report by security blogger Brian Krebs:
Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.
Last Friday, The Wenatchatee World broke the news of the heist, which struck Chelan County Public Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The publication said the attack occurred on Apr. 19, and moved an estimated $1.03 million out of the hospital’s payroll account into 96 different bank accounts, mostly at banks in the Midwest and East Coast.
On Wednesday of last week, I began alerting the hospital that it had apparently been breached. Neither the hospital nor the staff at Cascade Medical returned repeated calls. I reached out to the two entities because I’d spoken with two unwitting accomplices who were used in the scam, and who reported helping to launder more than $14,000 siphoned from the hospital’s accounts.
Read more on KrebsOnSecurity.
Maybe if insurers decline to cover losses if they find out that someone tried to warn the entity and the entity ignored or failed to respond to the attempted alerts, it would help?
Comments (0) 
Themocracy