Recently, the Pennsylvania Department of Health cited the Lehigh Valley Health Network (LVHN) for failure to protect personal health information (PHI). A May 2019 Department of Health inspection concluded that LVHN committed a privacy breach, by failing to take measures to safeguard patient data; failing to maintain a medical record in a confidential manner; and failing to safeguard the access to confidential patient information. This conclusion was reached despite LVHN’s own prior acknowledgment that a Lehigh Valley Hospital physician, in 2007, had committed a privacy breach by accessing medical information for months – 12 times in total – on a patient that physician was not even treating.
The citation did not name a specific patient, instead simply noting that the patient was discharged on April 1, 2017. This date coincides with the date a Steven Kahlon was discharged from Lehigh Valley Hospital. Kahlon subsequently sued LVHN in 2018 for a privacy breach, according to lawsuit records.
Lawsuit Contends Privacy Breach Was Continuous
Kahlon’s lawsuit contends that plastic surgeon Dr. Johnny Shea-Yuan Chung, accessed Kahlon’s medical information a dozen times between February and June in 2017, despite the fact that he was not treating Kahlon. In response, Chung, who has since left LVHN, denied improperly accessing Kahlon’s medical records, and denied breaching any legal obligations or violating the law. Chung has claimed, in his defense, that he had an active doctor-patient relationship with Kahlon at the time.
Meanwhile, LVHN is working on a plan to address the issues cited by the Health Department in its May 2019 inspection. When the new plan is submitted, the Department of Health will post the plan in its site.Â
What Can be Learned from this Episode?
The Health Insurance Portability and Accountability Act (HIPAA) was enacted, in part, to prevent covered entities (e.g., health providers) from sharing patient protected health information (PHI), including PHI in electronic form (ePHI), without patient authorization. Providers may share information for treatment, health care operations and payment purposes without patient consent; however, providers who have no legitimate need to access the PHI, violate the HIPAA Privacy Rule prohibitions on unauthorized use and disclosure of PHI (and commit a privacy breach) when they engage in such access.
