The Misuse of Protected Information

Betty had to pick up her 14-year-old daughter, Traci, early from school due to a plumbing problem that closed the school early. Since Betty, the custodian of client records for an outpatient mental health center, was scheduled to work for several more hours, she allowed her daughter to complete her homework at the work desk near her. Since Betty had to run charts to clinicians at various times, her daughter was left unsupervised. Bored, Traci began browsing through patient charts that had been left on the desk and through client records on her mother’s computer (she gained access with the password she saw her mother use, posted inside her mother’s desk drawer). Traci even went as far as prank calling clients who had been tested for HIV, pretending to be with the clinic and reporting false results. One client died by suicide after receiving Traci’s call that she was HIV positive.

Discussion Questions

1. List the HIPAA violations committed in this case study (based on an actual 2003 incident).

2. Who is liable in this case? Why?