Breaches of the Health Insurance Portability and Accountability Act (HIPAA) — whether due to carelessness or malice — may occur in private, but they tend to be discovered down the road. Recent punitive actions against healthcare employees allegedly violating HIPAA’s privacy rule illustrate this point … and serve as reminders to healthcare professionals to maintain good HIPAA hygiene.

Nursing professional’s license suspended after sharing PHI with new employer

Nurse practitioner Martha C. Smith-Lightfoot has had her license suspended by the New York State Education Department for a HIPAA violation involving around 3,000 patients. Three years ago, Smith-Lightfoot allegedly transferred a spreadsheet from her soon-to-be former employer University of Rochester Medical Center (URMC) to her new employer, Greater Rochester Neurology. The spreadsheet contained the names, addresses, dates of birth, and medical diagnoses of 3,000 individuals.

Before Smith-Lightfoot left URMC’s employ, she asked to be supplied with patient information so that she could offer those patients care continuity. Although URMC gave her the spreadsheet containing the aforementioned personally identifiable information, it did not grant her permission to take it with her, nor did the medical center allow her to give the spreadsheet to her new employer. The fact that she did so was a violation of the HIPAA privacy rule and an impermissible disclosure of protected health information (PHI).

Recipient of PHI used it to solicit business from privacy-violated patients

Perhaps the breach would have gone undiscovered if patients hadn’t approached URMC and asked why they were being solicited by Greater Rochester Neurology. At that point, URMC contacted Greater Rochester Neurology, who returned the spreadsheet (but of course the damage had already been done). Per HIPAA requirements, a report was made to the Department of Health and Human Services’ Office for Civil Rights (OCR) detailing the privacy breach. The New York attorney general was also notified.

OCR conducted an investigation, ultimately closing the case without levying any monetary penalties on URMC or Smith-Lightfoot. However, the New York attorney general at the time (Eric Schneiderman) slapped URMC with a $15,000 fine.

Additionally, an investigation into the nurse practitioner’s behavior was conducted by the New York State Education Department (the state’s professional licensing body). Last fall, following an admission that she disclosed personally identifiable patient information to a third party, Smith-Lightfoot signed a consent order with the state nursing board Office for Professional Discipline, an order that was accepted by the Board of Regents last winter.

The Department handed down a 12-month suspension of Smith-Lightfoot’s professional license, a 12-month stayed suspension, and three years of probation.

Health system’s employees may have been “snooping” when they violated HIPAA

Another recent HIPAA violation that has received much attention is the one involving the Washington Health System. Allegedly, employees of the health system inappropriately accessed the medical records of patients; although the link is unconfirmed, the breach is suspected to have occurred after the death of another employee. An employee of Washington Health System’s Neighbor Health Center, Kimberly Dollard, 57, died while at work; Chad Spence, 43, apparently lost control of an automobile he was driving, and the car collided with the facility, killing Dollard and injuring Spence and another individual (both of whom were admitted to the hospital).

HIPAA stipulates that patient health records may only be accessed for justified medical reasons, like treatment or payment, or in the course of healthcare operations … curiosity (“snooping”) obviously not on the approved list. Therefore, this alleged inappropriate access by Washington Health System employees represents a clear HIPAA violation.

The health system has suspended several employees (the exact number is unknown at this point) while it investigates the matter. HIPAA violations can result in disciplinary measures such as temporary or permanent loss of employment and/or professional license, but they can also result in violators being charged criminally.

Healthcare employees would be wise to remember that accessing PHI creates a digital trail, and therefore inappropriate access is likely to be discovered.

This article is provided for educational purposes only and is not offered as, and should not be relied on as, legal advice. Any individual or entity reading this information should consult an attorney for their particular situation. For more information/questions regarding any legal matters, please email info@nelsonhardiman.com or call 310.203.2800.