The Adobe Flash Player is required to view this multimedia interactive. Get it here.

Hospital employees breached crash victim’s privacy

Brennan Eden (center) was involved in a crash Aug. 23 on Interstate 675 near Dayton. Andrea Eden-Shingleton and Jeff Shingleton are concerned that hospital employees may have accessed Brennan's medical records inappropriately.

Staff photo by Greg Lynch Brennan Eden (center) was involved in a crash Aug. 23 on Interstate 675 near Dayton. Andrea Eden-Shingleton and Jeff Shingleton are concerned that hospital employees may have accessed Brennan's medical records inappropriately.

ENLARGE PHOTO

Man, 68, drowns at Caesar Creek Lake
12:49 a.m.
Water rescues prompt warning from health officials
11:42 p.m.
Beach Waterpark sued for failure to deliver
11:37 p.m.
Raleigh Trammell’s defense opens in felony trial
11:37 p.m.
UD to move satellite campus to Dublin
11:32 p.m.
> More headlines

By Ben Sutherly, Staff Writer Updated 3:13 PM Thursday, October 28, 2010

DAYTON — A Mason man seriously injured in a horrific crash on Interstate 675 received notification Tuesday from Miami Valley Hospital that four employees inappropriately accessed his medical records.

In a certified letter dated Oct. 20, hospital Privacy Officer Cindy Howley wrote that employees had inappropriately viewed Brennan Eden’s emergency room notes, inpatient notes and diagnosis.

“We are taking this incident very seriously,” Howley wrote, noting hospital officials are taking steps to prevent more breaches. The hospital also will notify the U.S. Department of Health and Human Services as required by law.

“I am extremely disappointed,” said Andrea Eden-Shingleton, Eden’s mother. “When you’re in the midst of a trauma and a crisis, you are completely vulnerable. You really need everyone to protect you who’s in a position to protect you.”

The four employees are being disciplined immediately in accordance with human resources policy, hospital spokeswoman Nancy Thickel said. She declined to disclose the level of discipline. Officials are not aware of the information being sold or accessed out of malice, she said.

The inappropriate access to Eden’s medical records happened Aug. 23-24, according to the letter. The crash that broke Eden’s car into pieces and sent him flying across the highway was captured by police video on Aug. 23.

The hospital had 60 days to notify Eden, 19, from when it discovered the breach on Aug. 27. That deadline was Tuesday.

Fines are infrequent for health care privacy violations

Five days after Eden’s sensational crash Aug. 23 on Interstate 675, a privacy official brought up his case at a managers meeting at Miami Valley Hospital.

She noted that 200 employees had accessed Eden’s medical records. That disclosure came during a discussion of a more uniform patient privacy policy that took effect at Miami Valley and other Premier Health Partners hospitals on Sept. 1.

The Dayton Daily News subsequently learned of those statements, confirmed them with the hospital, and then contacted the family of Eden, 19, who is recovering at his Mason home.

Eden’s mother, Andrea Eden-Shingleton, said she initially feared that more than four employees had inappropriately viewed her son’s medical records.

“Our technology has advanced so quickly that our ethics have not caught up with it,” Eden-Shingleton said.

The privacy violations do not rise to a level that requires Miami Valley Hospital to notify the Office for Civil Rights at the U.S. Department of Health and Human Services immediately.

Instead, the hospital will notify the agency in an annual report at the end of the year, hospital spokeswoman Nancy Thickel said.

Only three health care organizations have been fined by the Office for Civil Rights for patient privacy violations:

Rite Aid Corp. and 40 affiliated entities in July 2010 agreed to pay $1 million to settle patient privacy violations after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information.
CVS Pharmacy Inc. agreed in January 2009 to pay $2.25 million for similar privacy violations.
Seattle-based Providence Health & Services agreed in July 2008 to pay $100,000 due to its loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.

Contact this reporter at (937) 225-7457 or bsutherly@DaytonDailyNews.com.

@@facebook=http://www.facebook.com/daytondailynews/posts/162884197067402@@

Share this article