Most people deal with HIPAA only in passing. When they visit the doctor, somewhere in the stack of paperwork is a form that says something about privacy, which they sign and hand back in before sitting back down. It’s not the sort of thing most of them think about — until something they don’t want out in the world makes its way there.
“Those disclosures can have catastrophic effects on patients, because once it’s disclosed you can’t unknow it,” attorney Maureen Brady said.
Brady has obtained millions of dollars for clients in cases involving medical-privacy breaches, and her own trailblazing work has made that possible. She has become the go-to authority on issues of medical privacy, developing CLEs on the topic and representing clients through her Kansas City firm of McShane & Brady.
HIPAA, the Health Insurance Portability and Accountability Act, is widely hailed as the federal law that ensures patient privacy on the part of medical providers. The law actually protects healthcare providers by outlining the situations in which they may disclose patient information, Brady said. This distinction meant that patients had little legal recourse if a provider violated their privacy, as no course of action existed for them. That is, until Brady stepped in.
“I would like to see more people be able to ensure their privacy,” Brady said. “Health care providers are giving lip service to HIPAA, [and] then they turn around and disclose [patient information]. They’re not taking it seriously.”
A graduate of Michigan State University College of Law, Brady became interested in medical-privacy law when she worked as a civil-litigation defense attorney at Sanders, Warren & Russell. Her work often brought up questions involving medical privacy, such as whether defense attorneys could have ex parte communications with plaintiffs’ treating doctors. She became even more interested after she started her plaintiffs’ firm in 2013. She worked on a case in which her client lost a child-custody case due to the release of medical records that disclosed he had received treatment for substance abuse.
Brady realized that even though HIPAA is a procedural statute that did not allow plaintiffs to bring a cause of action, state laws recognized the importance of patient privacy. Brady has since recovered millions for her clients in cases with “Breach of Fiduciary Duty of Confidentiality of Medical Information” as a cause of action.
“There was no precedent on it,” Brady said. “Nobody had ever done it before.”
Brady’s victories in developing the area of law include a $17 million settlement in the Pennsylvania case of Beckett v. AETNA, a $1.6 million settlement in the Jackson County case of Cox. v. Valley Hope Associates, and a $400,000 settlement in Shorts v. Midwest Women’s Healthcare Specialists, when medical records for 1,500 patients were tossed in an open trash receptacle and scattered by the wind.
Breaches of privacy most often happen when records-keepers release information without confirming that a court order authored the release, Brady said. Health care consumers should realize, however, that privacy guarantees are built into medical costs. Training staff and maintaining computer systems cost money, and those costs are passed along to consumers. This also means that providers have a fiduciary duty to maintain patient privacy, Brady said.
Disclosures also often happen when health care employees get curious about patients who they might know personally and then relay that information to others, Brady said.
“Everyone thinks ‘What’s the big deal? She stubbed her toe,’” Brady said. “The big deal is she has the right to keep that private, and you don’t have the right to know it.”