KELLY MCEVERS, HOST:
When you go to doctor's office, you might be given forms detailing how they'll keep your medical information private - and you might not pay much attention. NPR, in partnership with the nonprofit news organization ProPublica, has found that people snoop around in medical records all the time. While the government is focused on big data hacks, NPR's Alison Kodjak reports that individual invasions of privacy can be far more devastating.
ALISON KODJAK, BYLINE: Peter Brabeck is a 73-year-old retired oil company engineer, and he has his share of health problems.
PETER BRABECK: I've got some pretty severe spinal stenosis.
KODJAK: Brabeck's pain specialist gave him loads of medications for his spinal condition -enough to get him addicted. So his brother filed a complaint on his behalf with the California Medical Board. Then, in a bizarre twist of retaliation, the doctor hired a private detective to dig up dirt on Brabeck and his family and the doctor handed the detective all Brabeck's medical records - records that showed he was an addict and had been to rehab.
BRABECK: That just absolutely put me over the edge. That was so deliberate, and it was just so willful an attempt to inflict harm.
KODJAK: Brabeck took his case to the Office for Civil Rights at the federal Department of Health and Human Services. It's the agency designated to enforce the medical privacy law known as HIPAA. After a two-year investigation, the doctor admitted that he gave Brabeck's medical files to the detective. His punishment - pay for one year of credit monitoring for Brabeck.
BRABECK: That was it; I was stunned. That is not even the cost of one 20-minute office visit to this guy. For something that egregious - I mean, that to me borders on the criminal.
KODJAK: Jocelyn Samuels runs the Office for Civil Rights. She wasn't at the agency when Brabeck's case was decided, but she did review the file.
JOCELYN SAMUELS: Based on my reading of the documents, I think the case was resolved consistently with our general principles.
KODJAK: She says the agency focuses on cases where there's been particularly bad conduct or where a lot of people are affected. Last month, the agency required a Puerto Rico-based insurance company to pay $3.5 million and revamp its privacy procedures because of multiple breaches.
SAMUELS: We look for areas where we can add the most value.
KODJAK: Truth is the Office for Civil Rights isn't really designed to make individuals like Peter Brabeck whole. But it's the only place to go because the health privacy law bars people from filing lawsuits for medical privacy violations. Brabeck's lawyer told him he'd waste his money if he tried to sue his doctor. But some creative lawyers, like Neal Eggeson, have found ways to fight for medical privacy.
NEAL EGGESON: Her name is Wiggle Puppy.
KODJAK: He works out of a tiny office in his suburban Indianapolis home. There's a full-size Batman costume in the corner and light sabers mounted on the wall. They seem fitting for a guy who talks about his work in terms of duty and justice. Eggeson used to defend big insurance companies from car accident claims. Then he got a call from a man whose HIV status was disclosed in public court documents when his doctor sent a small unpaid bill to collection.
EGGESON: His first concern was getting the court records sealed more than anything else.
KODJAK: Eggeson did some research on HIPAA and found a way to bring a case to court.
EGGESON: Even though HIPAA itself prohibits you from filing a lawsuit, that doesn't mean that the health care provider hasn't done something wrong.
KODJAK: He argues that protecting patients' privacy is a fundamental part of medical care. So if doctor lets your information out...
EGGESON: That is medical malpractice, and that's how I decided to pursue the case.
KODJAK: And he won the case. A jury awarded the man $1.2 million, and ever since Eggeson's been getting calls from people nearly every day.
EGGESON: Let's see, one, two, three...
KODJAK: But he only has so much time.
EGGESON: Ten so far this week.
KODJAK: One case he did take on was a young mother named Frances, who works as a dental assistant. She didn't want her last name disclosed because of a gag clause in her legal settlement. Frances says an angry former friend revealed on Facebook that she has HPV, a sexually-transmitted disease that can cause genital warts - or worse, cancer.
FRANCES: When they told me it was on Facebook - like, public - like, that was, like - my heart, like, fell to my stomach. I mean, I started crying, like, immediately.
KODJAK: Soon everyone in town was talking and joining in the Facebook ridicule.
FRANCES: Basically, just calling names, like [expletive] and, like - you know, like, stuff, like - very indecent names.
KODJAK: Frances suspected the woman looked up her records at the local hospital where she worked. She printed out the Facebook post and brought it to the hospital to complain. The woman no longer works at the hospital. Still, the genie was out of the bottle, and the public shaming continued. Frances started to avoid people, drive for miles to a grocery store where she wouldn't see anyone she knew. She saw a therapist.
FRANCES: I just felt like I have no, like - like, no self-worth, like I was worth nothing.
KODJAK: Neal Eggeson helped her win a settlement with the hospital. He was able to do that because Frances lives in Indiana, where Eggeson is licensed, and the courts will hear these cases. But judges in several states, including Minnesota and New York, have refused to let cases like these move forward. So how often do small medical privacy breaches happen? It's impossible to know. The Office for Civil Rights alone gets more than 25,000 reports a year. Charles Ornstein is an investigative reporter at ProPublica who has tracked medical privacy breaches.
CHARLES ORNSTEIN: These are people who are deliberately going into somebody's medical record, trying to find embarrassing information out and trying to spread that information. And so it's targeted, its malicious often and it's designed to embarrassed.
KODJAK: He says government officials could crack down on small breaches with steep fines and even jail. But most of the time, they're focused on the company, not the victim.
ORNSTEIN: And more often than not - in fact, far more often than not - the office prefers to work together with the health provider to fix the problem. And only on very rare occasions does it seek fines or penalties.
KODJAK: There are solutions. Some hospitals are developing systems similar to those used by credit-card companies. They alert managers when employees look at medical records they maybe shouldn't be looking at. But there's little incentive to invest in such systems when the penalties for privacy breaches are so small. Alison Kodjak, NPR News.
MCEVERS: There's more about the ProPublica investigation, including additional stories about violations of medical privacy, at npr.org. Transcript provided by NPR, Copyright NPR.
