Comingling of employee and patient data compromises employer’s HIPAA defense to employee’s claim of discharge for union activity

Natale DiNatale
Robinson & Cole LLP
Contact
LinkedIn
Facebook
X
Send
Embed

An administrative law judge (ALJ) of the National Labor Relations Board has concluded that a health care employer’s use of its medical records software to store employee contact information allowed an employee to access that software for the purpose of sharing personal information about other employees with an outside union organizer.  Rocky Mountain Eye Center, P.C., Case #’s 19-CA-134567, 19-CA-137315 (Laws, ALJ) (May 6, 2015).

The case arose out of the Rocky Mountain Eye Center’s discharge of an employee who had accessed and distributed the names and personal phone numbers, including mobile phone numbers of 17 employees.  The Employer had maintained that information in the same software system that it used to store information about patients.

The ALJ found that employees and supervisors accessed the system to obtain employee contact information for both work-related reasons (last-minute schedule changes) and personal reasons (after-work gatherings).  The ALJ also found that that the employer had trained employees to input their data into that system, even if they were not also a patient, so that if anyone needed to contact them, they could look it up there.

The Employer argued that the employee’s actions violated HIPAA.  It even self- reported the alleged violations to the Department of Health and Human Services, Office of Civil Rights.  The Board’s General Counsel argued that “permitting use of a patient records system to store non-medical information about employees, whether patients or not, would permit HIPAA-covered employers to thwart the [National Labor Relations] Act in the guise of HIPAA compliance.”  The ALJ agreed with the General Counsel and concluded that the Employer’s “comingling of employee and patient data in [the patient records system], along with its training instructions to employees and its practices [. . . ] preclude an legitimate defense that . . . accessing the system to obtain employee phone numbers warranted discipline as a HIPAA violation.”

This case not only highlights the General Counsel of Board’s heightened attention to overly broad confidentiality policies, but also indicates the Board’s unwillingness to yield blindly to confidentiality requirements found in other federal laws, e.g. HIPAA.  In light of this decision, health care employer’s should review how they use their electronic records systems, as well as their confidentiality policies surrounding those systems.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson & Cole LLP | Attorney Advertising

Written by:

Robinson & Cole LLP
Robinson & Cole LLP
Contact
more
less

Robinson & Cole LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide