Is a HIPAA compliance violation cause for dismissal of an employee? Can an employee’s work contract be legally terminated for a HIPAA violation?
The answer is not always clear, as recently shown at an employment tribunal, where a National Labor Reform Board (NLRB) judge ruled that a HIPAA violation did not mean that the employee in question, Britta Brown, lost her rights under the National Labor Reform Act (NLRA). Brown’s termination was found to violate Section 8(a) (3) and (1) of the National Labor Relations Act and her employment was ordered to be reinstated.
Rocky Mountain Deem HIPAA Violation Cause for Dismissal
A HIPAA violation had certainly occurred, but it was not sufficient grounds for termination of the work contract under the circumstances. Brown’s employment contract termination was taken up by the International Union of Operating Engineers (Charging Party or Union) against Rocky Mountain Eye Center on the grounds of a breach of the NLRA.
The NLRA gives employees a certain number of rights. For instance, employers are not permitted to fire individuals without a legitimate reason for doing so. In this case, Rocky Mountain determined that Brown had accessed protected records of co-workers without authorization, which breached HIPAA rules and determined that it was cause for termination of her employment. At face value, this would appear to be a legitimate reason for firing the employee.
However, Brown was not accessing the records out of curiosity nor for personal gain. She accessed protected records to obtain contact information to allow her to send out correspondence to employees and organize a union campaign. The system that she accessed, Centricity, contained Protected Health Information as employees were also patients of the center.
Judge Rules In Favor of Brown
By using the system, Brown violated HIPAA Rules which exist to protect the privacy of patients. However Brown was not the only employee to be using Centricity for this purpose, with supervisors and other workers, on occasion, using the system to find the information they needed. According to the court transcript, access was “primarily for last minute scheduling changes,” and for the “organization of social events”.
If this was the case, it would not be fair to just penalize one employee and if accessing of Centricity was regularly taking place, this suggests that Rocky Mountain was violating HIPAA by failing to provide an alternative system that was suitable, not restricting access or not monitoring inappropriate use of records containing PHI.
The Administrative law judge, Eleanor Laws, ruled, that under the circumstances the HIPAA violation was not sufficient cause for dismissal. She said “While the respondent’s general concerns about HIPAA compliance are unquestionably legitimate, the circumstances here lead me to conclude they were seized upon to stop Brown’s union activity.”
Brown must be given her old position back – or an equivalent position if it is no longer available – and must be reimbursed for her costs. Rocky Mountain Eye Center, may have to answer to the Office for Civil Rights about the inappropriate access of PHI.