HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Aspen Hospital Sued for HIPAA Breach by Former Employee

A healthcare IT worker formerly employed by Aspen Hospital is suing the hospital and five of its employees for an alleged HIPAA breach after it was disclosed he had contracted HIV.

The former employee, only identified as John Doe in the suit, was also a patient at the hospital. His attorneys, Mari Newman, Darold Killmer and Eudoxie Dickey, filed the suit on his behalf and are seeking compensatory and punitive damages, legal fees, and an apology from the hospital for the violation of his privacy. Doe also wants the hospital to change its policies to prohibit the disclosure of sensitive medical information to members of the hospital staff.

John Doe had worked in the IT department of Aspen Hospital for 11 years prior to losing his job. Doe was an excellent employee and was well respected in the department according to the suit. He was regularly told he had exceeded expected standards and had often been rated as ‘outstanding’ in his performance evaluations.

After filing complaints against the hospital for the disclosure of his HIV status and subsequent retaliatory acts by hospital staff, Doe was fired. He also lost medical insurance coverage which placed his health at risk, according to the lawsuit.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach of Doe’s privacy occurred on September 23, 2012. According to the lawsuit, the human resources director and privacy office at the hospital, Alicia Miller, disclosed to another member of the hospital staff that Doe had contracted HIV. The disclosure was made “as a piece of conversational gossip over drinks,” according to the lawsuit. It is alleged that Miller had discovered that Doe was HIV positive after seeing “a very large claim” for anti-viral medications.

Doe did not discover that his privacy had been violated until 2014. The employee who had been told of Doe’s condition told him about the conversation after she had left employment at the hospital.  The employee also lodged a formal complaint in June 2014 with Elaine Gerson, the hospital’s attorney and chief clinical officer.

The complaint prompted a meeting between Gerson and Doe on June 20, 2014. Following on from that meeting, Gerson referred the matter to Aspen Hospital’s chief compliance officer Stephen Knowles, who conducted an investigation into the privacy violation. The lawsuit claims that Knowles conducted “a sham investigation” and attempted to sweep the matter under the rug.

It is claimed that Miller and Knowles were good friends and that Miller claimed not to know how she learned of Doe’s HIV infection. She also allegedly denied disclosing this information to any other employee. The employee who made the complaint claims to have left her employment at Aspen Hospital as a direct result of the privacy violation, and did not feel she could file the complaint until after she left.

Doe filed a complaint with the Department of Health and Human Services’ Office for Civil Rights after no action was taken following the internal investigation. Doe was disciplined ten days after the hospital learned that the complaint had been filed, in what the lawsuit claims was “a retaliatory act.” Doe filed a second complaint with the Office for Civil Rights accusing the hospital of illegal retaliation. Doe claimed that after this, the hospital’s IT Director Michelle Gelroth, began to “accuse and harass” him over minor issues at work. The lawsuit claims that Gelroth was told to ride Doe over his performance by Miller and the hospital’s HR specialist, Dawn Gilkerson.

The stress caused Doe to take 1 month leave due to the effect the situation was having on his health. On return to work he was demoted and had to work on the IT helpdesk, and also accept a $1,800 pay cut. A third complaint was filed with the Office for Civil Rights on January 3, 2015, and also with the Department of Labor on January 10, 2015; both for retaliation. Doe was fired on January 22, 2015.

Doe’s attorney, Marlene Saleeby, claims the disclosure of Doe’s HIV infection was a “flagrant violation” of the HIPAA Privacy Rule. Attorney Mari Newman said, “There is certainly a persistent stigma that goes along with the diagnosis of HIV-positive, so the fact that the hospital’s senior HR person and privacy officer felt this was appropriate cocktail fodder is beyond outrageous.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.