Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Approximately 233 pages of confidential patient grievance files are at the center of a legal storm in U.S. District Court for the District of Minnesota.  In the case of Peterson v. HealthEast Woodwinds Hospital, the plaintiff, a former Patient Advocate, alleges she was instructed to improperly destroy medical files. According to her Complaint, this caused Peterson stress that required her to take a leave of absence and led her to attempt suicide. In her Complaint, Peterson asserts counts under the Family Medical Leave Act, Improper Destruction of Documents, Violation of Public Policy, and Negligent and Intentional Infliction of Emotional Distress. Among other things, she alleges she was told to remove and destroy and medical related correspondence with patients or families that could become discoverable during any potential medical negligence or personal injury claim against the hospital. She also alleges she was ordered not to discuss with a first-time mother patient an allegation that an OB-GYN physician was inebriated during a delivery. Peterson was terminated on June 1, 2011 for not coming to work and failing to maintain contact with her employer.

Prior to her departure, Peterson took home medical records and files which she claims support her legal claims. When the hospital learned of this in the course of discovery, it demanded the documents be returned citing patient privacy concerns under HIPAA. After the parties were unable to come to an agreement, the magistrate judge assigned to the case issued an Order instructing Peterson to provide copies to the hospital, designating the records "attorney's eyes only", and ordering that all copies be returned to the hospital at the conclusion of the litigation.  The court based its order on the so-called HIPAA Whistleblower exception at 45 C.F.R. Section 164.502(j)(i).  That section provides that a covered entity will not be considered to have violated the privacy requirements of HIPAA if a member of its workforce, who believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, discloses protected health information to her attorney or a public health authority.

Employers are often confronted with the frustration of learning that a disgruntled employee or former employee has taken home confidential or trade secret documents which he or she intended to use to protect their interests, whether in litigation or otherwise. In this case, the hospital faced the added concern of confidentiality under HIPAA. 

• Email This
• Print
• Comments
• Trackbacks

The Minneapolis Star Tribune has reported that two hospitals in Anoka County, Minnesota, terminated a combined total of 32 employees for unauthorized access of electronic medical records on May 6, 2011.  The two hospitals, Unity Hospital in Fridley, Minnesota and Mercy Hospital in Coon Rapids, Minnesota, are both part of the Allina Health System.  In April, the Minnesota Court of Appeals, in an unemployment compensation decision, upheld the enforcement of Allina's "zero-tolerance policy" with regard to unauthorized access to medical records.  Allina relied on the same policy in the latest firings.

The records leading to the mass termination related to a tragic incident involving 11 teenagers and young adults who were hospitalized after overdosing on synthetic drugs after a party on March 17.  One of them, a 19-year old, died and murder charges have been brought against a Blaine, Minnesota, man who allegedly provided the drugs.

Allina stated that it has the ability to track any employee's access of electronic medical records and, because these patients were involved in a "high profile case," the hospital conducted a review of their audit trails and discovered that 32 employees had accessed the records without authorization. 

The increasing use of electronic medical records make these types of audits easier and more important than ever before.  Although the high number of employees involved is unusual, according the Star Tribune report, it is not the largest on record - in 2007 more than 100 employees were suspended from another Minnesota medical provider for similar concerns. 

 The HIPAA security regulations require that covered entities be able to audit activities on information systems containing electronic protected health information.  With increasing agency enforcement, health care providers and other covered entities and business associates should revisit this aspect of the HIPAA policies and procedures.

 Update: read the Star Tribune editorial justifying the firings.

• Email This
• Print
• Comments
• Trackbacks

In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data.  This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine.  The Massachusetts hospital settlement resulted from a hospital employee who took home documents containing sensitive personal information on patients. The employee then lost those documents while commuting to work.  

While the settlement did not include an admission of liability, in addition to the monetary settlement, and submitting to HHS oversight, the hospital must also adopt more stringent privacy practices and retain an independent security and privacy monitor. The investigation of the incident found the hospital failed to implement reasonable and appropriate standards to protect the privacy of patient information removed from the facility.  Under the settlement, the hospital must present new privacy and data security administrative, physical, and technical safeguards policies and procedures for HHS approval. Specifically, these policies and procedures must address the physical removal and transportation of protected health information and encryption of portable storage devices.  Despite a general prohibition on employees physically removing protected health information from the hospital,  HHS permitted an exception when the information is removed by an employee to perform his or her job duties.  Additionally, the hospital must implement training for all employees.  

This settlement, when considered with the 4.3 million dollar fine, likely signals how HHS will approach future enforcement actions.  In light of this, covered entities must seriously examine their privacy and security obligations, including implementing appropriate policies and procedures regarding the safeguarding of information.

 

• Email This
• Print
• Comments
• Trackbacks