A local LGBT-specific healthcare and HIV/AIDS services provider may face complaints and potential penalties from the federal government after a July 18 mass email divulged nearly 2oo patient names because the message recipients were not properly hidden.
Repeated requests for the organization to comment for this story were not returned.
The email in question, beginning with “Dear Patients,” was sent to nearly 170 people by Northstar Healthcare, one of the city’s largest HIV services and research organization, with all of the recipient email addresses clearly visible, compromising the privacy of patients. Northstar has offered a variety of healthcare services in addition to their HIV/AIDS programs, including laser hair removal and skin rejuvenation treatments, for over 22 years and is led by Berger, who is an internationally-known HIV/AIDS specialist.
Shortly after the email was sent and the organization was alerted of its mistake, another email was sent by Northstar’s Ben Veach — this time with recipients hidden — apologizing for the breach in confidentiality:
“Recently an email was sent out announcing new developments at Northstar. The email went out to a greater audience than intended. Recipients included individuals who had contacted Northstar by email in the past, unspecific to any particular affiliation with the clinic.
More importantly, Northstar respects your privacy and we intended to send this as a Bcc. Please accept my apologies; I did not realize my error until it was sent. I am extremely sorry for this oversight.”
Divulging patient names or information — meant to be entirely confidential by healthcare providers — could be a massive violation of state and federal laws created to protect the privacy of patients, as pointed out by an investigation into the matter by CBS 2 Chicago. The Illinois AIDS Confidentiality Act, for instance, states that sharing a patient’s HIV status without their consent could be a misdemeanor offense. It also provides that patients can pursue legal action if their status is shared without their consent and can demand damages of at least $2,000 in cases of negligence — or without intention to breach privacy.
However, because the email did not explicitly reveal patients’ HIV status, Ann Hilton Fisher, executive director at the AIDS Legal Council of Chicago, questions the ability of the patients to file legal claims for damages under the AIDS Confidentiality Act. There’s no way to prove that everyone on the patient email list has HIV and that Northstar is not known in the community as simply an HIV/AIDS clinic, she said.
Fisher contends that the email would have to be more specific and would have had to directly identify the recipients as HIV/AIDS patients, perhaps starting with “For those of you who are receiving HIV medication…” or “An important notification for our HIV patients…,” she said. In other words, “Dear Patients” does not mean “Dear HIV-positive Patients.” No such identification was made.
“I do not think that you can say that anyone’s HIV status was disclosed,” Fisher said. “As a result, I don’t think you have any remedies under Illinois’ AIDS Confidentiality Act. Are there remedies under something else? This is where I am less than an expert. The next possibility would be HIPAA.”
HIPAA is the Health Insurance Portability and Accountability Act, a federal law that mandates safeguards for the protection of patient medical records, and holds violators accountable with potential criminal and civil penalties.
At least one former HIV services patient is seeking to file a HIPAA complaint against Northstar, alleging that her identify was revealed in the email because her email address is composed of her first and last name. With confidentiality in mind, the patient requested that she be identified only by first name, Joel, in this article.
“It was a slap in the face,” Joel said of the email list. “It should be my right for me to tell whom I want to tell and decide how it gets out there.”
Fisher notes that under HIPAA, complaints can be filed up to 90 days after the incident occurred, or until Oct. 18. Her organization will assist people in filing those complaints, she said, but noted that she’s waiting to see what action, if any, the U.S. Department of Health and Human Services takes. So far, three people have come to ALCC for help, according to Fisher.
Joel started using Northstar’s services in 2002 for its HIV program and for her primary healthcare, but stopped in July when her physician moved to another organization and the email blast revealed her identity, she said.
“Technically, I was still a patient after I got it, and it confirmed to me that I was going to follow my doctor,” Joel said. “I think I got like 16 other emails from other people that were just lividly pissed about receiving the email.”
Joel adds that she wasn’t satisfied by the clinic’s email apology for the incident, calling it a “cold response” and that they should have called each patient individually to apologize and assure them that steps were being taken to protect privacy.
For now, Joel is working with the ALCC for guidance while filing her complaint, and is gradually getting settled in at her new primary healthcare provider. When asked what the organization could do to prevent further incidents like the one that affected her, Joel said that staff should be trained better.
“Fortunately, I don’t have to worry about it because I’m no longer going there.”
The U.S. Department of Health & Human services could not immediately be reached for comment Monday.