Terminating an employee for HIPAA violation: A success story

How one medical provider appropriately managed its HIPAA compliance by consistently enforcing its policies and security measures.

Employers who are subject to HIPAA must ensure they have the proper monitoring protocols and policies in place to quickly and aptly tackle any violations. (Photo: Shutterstock)

A recent case highlights how one medical provider appropriately managed its HIPAA compliance by consistently enforcing its policies and keeping tabs on who accessed protected health information. While the case involves a provider, employers with health plans subject to HIPAA can also learn some valuable lessons from this case.

Background

Lankenau Medical Center (Lankenau) is an acute care hospital that is part of Main Line Health (MLH), a not-for-profit health system. Gloria Terrell (Terrell) worked as an operating room (OR) secretary for Lankenau for more than 35 years. As an OR secretary, Terrell was responsible for the OR schedule, calling for patients, sending for blood and medications, patient billing and charts, office supplies, ordering uniforms and other related duties.

In her capacity as OR secretary, Terrell had access to the hospital system used to store various forms of protected health information such as patient names, dates of birth, social security numbers, phone numbers, and insurance information. However, she did not have access to patient medical charts. As in many health care organizations, employees were often also patients of Lankenau.

On August 15, 2016, Terrell accessed a coworker’s home phone number in the MLH system. Seven days later Terrell accessed it again. Generally, employee phone numbers are kept in a list on a clipboard in the OR. However, the clipboard had been missing on both occasions.

MLH Policies

As a medical provider, MLH is subject to the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). In particular, MLH has a number of policies and processes designed to ensure the privacy of patient information and compliance with HIPAA:

To monitor for compliance, MLH implemented privacy monitoring technology. The technology monitored employee system usage for access to Personally Identifiable Information (“PII”) and/or PHI to identify usage that is not based on legitimate business purposes.

Employees who violate MLH policy are subject to a performance management policy that includes disciplinary action up to and including termination. It was a violation of the policy to access “PHI outside the scope of job duties (to compare coworker workloads, learn about clinical operations)” and/or check “on a coworker, family member or neighbor.”

Terrell’s conduct and policy violations and the fallout

Terrell’s access on August 15th was flagged by a technology monitoring system. As a result, MLH launched an investigation and found Terrell’s second access that occurred seven days later.

In her defense, Terrell claimed she believed that she had a legitimate business need. On both occasions, Terrell claimed she wanted to call the employee to be sure she was coming in to work on that day. However, Terrell’s supervisor testified that this was not part of her regular duties and neither the supervisor nor the coworker gave her permission to access the employee’s home phone number in the MLH system.

Because Terrell access to MLH’s system was not permitted, MLH found that Terrell had violated its policies. Given the seriousness of her violations, even after 35 years, MLH terminated Terrell’s employment.

Subsequently, Terrell filed an age discrimination claim arguing that the termination was not because of her violations, but instead because of her age. Plaintiff claimed that the reason for her termination was really a “pretext” for age discrimination. To show pretext, the Terrell had to demonstrate that the hospital had acted inconsistently in the past and in favor of those who are not protected by the Age Discrimination in Employment Act (i.e. under age 40). The court rejected this argument stating that Terrell had provided no evidence of her allegations of pretext.

The court emphasized that the employer had several policies in place that specifically and clearly prohibited Terrell’s conduct. Additionally, the court found that the employer provided training and had consistently enforced these policies regardless of the employee’s age. Terrell’s behavior violated HIPAA, MLH’s Confidentiality Policy, and its Code of Conduct and that was a legitimate reason for her termination. Moreover, termination was the contemplated consequence for the violation of each of these MLH policies.

Takeaways for employers

This is a great example of what an employer should do! Employers that are, or that have plans, subject to HIPAA should:


Carrie Cherveny is the senior vice president of strategic client solutions in HUB’s Risk Services Division. She has 20 years of combined experience in employee relations working on the management side providing human resources, employment law, and employee benefits legal guidance.