Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Approximately 233 pages of confidential patient grievance files are at the center of a legal storm in U.S. District Court for the District of Minnesota.  In the case of Peterson v. HealthEast Woodwinds Hospital, the plaintiff, a former Patient Advocate, alleges she was instructed to improperly destroy medical files. According to her Complaint, this caused Peterson stress that required her to take a leave of absence and led her to attempt suicide. In her Complaint, Peterson asserts counts under the Family Medical Leave Act, Improper Destruction of Documents, Violation of Public Policy, and Negligent and Intentional Infliction of Emotional Distress. Among other things, she alleges she was told to remove and destroy and medical related correspondence with patients or families that could become discoverable during any potential medical negligence or personal injury claim against the hospital. She also alleges she was ordered not to discuss with a first-time mother patient an allegation that an OB-GYN physician was inebriated during a delivery. Peterson was terminated on June 1, 2011 for not coming to work and failing to maintain contact with her employer.

Prior to her departure, Peterson took home medical records and files which she claims support her legal claims. When the hospital learned of this in the course of discovery, it demanded the documents be returned citing patient privacy concerns under HIPAA. After the parties were unable to come to an agreement, the magistrate judge assigned to the case issued an Order instructing Peterson to provide copies to the hospital, designating the records "attorney's eyes only", and ordering that all copies be returned to the hospital at the conclusion of the litigation.  The court based its order on the so-called HIPAA Whistleblower exception at 45 C.F.R. Section 164.502(j)(i).  That section provides that a covered entity will not be considered to have violated the privacy requirements of HIPAA if a member of its workforce, who believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, discloses protected health information to her attorney or a public health authority.

Employers are often confronted with the frustration of learning that a disgruntled employee or former employee has taken home confidential or trade secret documents which he or she intended to use to protect their interests, whether in litigation or otherwise. In this case, the hospital faced the added concern of confidentiality under HIPAA. 

• Email This
• Print
• Comments
• Trackbacks

The U.S. District Court for the Southern District of Ohio found the confidentiality rights of patients outweighed a plaintiff’s need to take discovery of patient medical records in Kapp v. Jewish Hospital, Inc.  Plaintiff, a former nurse, brought suit in the federal court in Ohio, alleging she was terminated in violation of federal employment discrimination laws.  Specifically, plaintiff alleged defendant had alternative motives for plaintiff’s termination, including plaintiff’s age, perceived disability, and plaintiff’s request for FMLA leave.  To establish her case, plaintiff sought to ascertain through the discovery process, whether other similarly situated nurses, were treated in a like manner.  To do so, plaintiff filed a motion to compel seeking access to non-party patient records in an attempt to discern if other nurses participated in essentially the same conduct for which defendant terminated plaintiff, but were not themselves terminated.  The Magistrate Judge denied plaintiff’s motion to compel and held that Ohio's strict physician-patient privilege law applied to prevent production of the records.  The plaintiff objected to the Magistrate Judge’s Order, and those objections were heard by the District Court Judge.  The District Court Judge held that “[a]lthough state privilege law does not control…there are abundant and adequate federal principals that protect patient confidentiality.”  The Court went on to state,

the non-party patients’ right to confidentiality outweighs the plaintiff’s proffered justification for accessing the non-party patient medical records. 

The Court went on to say that the Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients' right to confidentiality and HIPAA's Privacy Rule grants federal protections for patients' personal health information held by covered entities and gives patients rights regarding that information. In this case, the plaintiff had other, less-intrusive options for discovering whether the hospital treated similarly situated nurses differently, including, for example, narrowing the scope of the request by deposing other nurses who had worked with the physician in question, the hospital's human resources personnel, or other nurse supervisors.

The broad discovery sought by plaintiff in this matter is not an uncommon approach taken by the plaintiff’s bar in an effort to prove the merits of their client’s claims.  Employers, especially those in the healthcare industry, must be aware of opinions like Kapp in their efforts to limit plaintiff’s unfounded discovery requests and to protect their patients’ privacy.  

• Email This
• Print
• Comments
• Trackbacks

The Minneapolis Star Tribune has reported that two hospitals in Anoka County, Minnesota, terminated a combined total of 32 employees for unauthorized access of electronic medical records on May 6, 2011.  The two hospitals, Unity Hospital in Fridley, Minnesota and Mercy Hospital in Coon Rapids, Minnesota, are both part of the Allina Health System.  In April, the Minnesota Court of Appeals, in an unemployment compensation decision, upheld the enforcement of Allina's "zero-tolerance policy" with regard to unauthorized access to medical records.  Allina relied on the same policy in the latest firings.

The records leading to the mass termination related to a tragic incident involving 11 teenagers and young adults who were hospitalized after overdosing on synthetic drugs after a party on March 17.  One of them, a 19-year old, died and murder charges have been brought against a Blaine, Minnesota, man who allegedly provided the drugs.

Allina stated that it has the ability to track any employee's access of electronic medical records and, because these patients were involved in a "high profile case," the hospital conducted a review of their audit trails and discovered that 32 employees had accessed the records without authorization. 

The increasing use of electronic medical records make these types of audits easier and more important than ever before.  Although the high number of employees involved is unusual, according the Star Tribune report, it is not the largest on record - in 2007 more than 100 employees were suspended from another Minnesota medical provider for similar concerns. 

 The HIPAA security regulations require that covered entities be able to audit activities on information systems containing electronic protected health information.  With increasing agency enforcement, health care providers and other covered entities and business associates should revisit this aspect of the HIPAA policies and procedures.

 Update: read the Star Tribune editorial justifying the firings.

• Email This
• Print
• Comments
• Trackbacks

Coauthored with Jason Gavejian

California hospitals and nursing homes take note - the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information. 

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

• $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
• $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility's confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without "unreasonable delay."

As the number of data security incidents in the health care industry continue to mount, CDPH's enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

• Email This
• Print
• Comments
• Trackbacks