No Report; No Pay

On December 17, 2008, Wellpoint Companies terminated the employment of one of its enrollment and billing department managers for a failure to report a suspected violation of the company’s privacy policy for information protected under HIPAA, and on July 19, 2011, the Connecticut Court of Appeals released an opinion that supported the denial of unemployment benefits to that individual for failure to report.  

On December 17, 2008, Wellpoint Companies terminated the employment of one of its enrollment and billing department managers for a failure to report a suspected violation of the company’s privacy policy for information protected under HIPAA, and on July 19, 2011, the Connecticut Court of Appeals released an opinion that supported the denial of unemployment benefits to that individual for failure to report.   

Eddie Tosado was discharged for willful misconduct when he failed to report that a subordinate employee had brought her daughter to work, and allowed her daughter to staple invoices containing protected health information (PHI).  This action was a violation of not only company policy but also HIPAA.  Wellpoint requires its employees to report all known or suspected HIPAA violations. When the stapling violation was brought to Tosado’s attention by a separate employee, Tosado allegedly told that employee to “keep quiet” about the incident and did not report the suspected violation anyone within the company.  That employee then reported Tosado to the human resources department.  

 

The human resources department investigated the report, and requested that Tosado keep the investigation confidential, which he did not.  Shortly thereafter, Wellpoint terminated Tosado’s employment for violating the company policy for failing to report a suspected HIPAA violation and for failing to keep the investigation confidential.  

 

Tosado then filed for unemployment, which Wellpoint opposed on the grounds that Tosado was fired for willful misconduct, and under Connecticut law, an individual is not eligible for compensation benefits if the employee’s termination was for willful misconduct. (General Statutes § 31-236(a)(16)) In order for the misconduct to be considered willful, an individual must be deliberate in his actions, the action must be contrary to an employer’s interest, and the act or omission must have been either intentional or made with reckless indifference. (Regs. Cong. State Agencies § 31-236-26a) Tosado ultimately was aware of the employee’s daughter stapling documents containing PHI, and it was brought directly to his attention.  Tosado was also apparently aware of his obligation to report such suspected violations based on company policy, and he failed to do so.  

 

While this case is specific to Connecticut, it demonstrates the importance of training personnel to report even possible HIPAA privacy violations to the appropriate officials within a HIPAA covered entity's organization.  A copy of the Connecticut Court of Appeals decision is available here

 

Published In: Administrative Agency Updates, Health Updates, Labor & Employment Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »