NLRB Judge Rules HIPAA Violation not Grounds for Employment Termination

A National Labor Reform Board (NLRB) judge has ruled that the termination of an employee’s contact on the grounds of a clear HIPAA violation was not justified under the circumstances.

The International Union of Operating Engineers (Charging Party or Union) alleged that Rocky Mountain Eye Center, P.C. had violated the National Labor Relations Act (NLRA) by terminating the employment of a worker, Britta Brown, on the grounds of a HIPAA violation.

The employee had accessed protected records of co-workers to obtain contact information for a union-organizing campaign. In this case, the violation occurred because the organization in question was a medical practice and its patients included employees.

The records needed to be legitimately accessed, but the employee used Centricity – Rocky Mountain Eye Center’s healthcare IT system – to obtain the information. When employee contact information is accessed, it is also possible for authorized users to access the Protected Health Information of those individuals.

The National Labor Relations Act offers protections to employees, the question in this case was whether the HIPAA violation meant that the employee lost NLRA protection. The judge ruled that the HIPAA violation should not mean that the employee lose her NLRA rights, and in this case the employer was deemed to be unjustified in firing the employee.

Administrative law judge, Eleanor Laws, wrote in the court decision:

I find the Respondent’s comingling of employee and patient data in Centricity, along with its training instructions to employees and its practices, detailed above, preclude any legitimate defense that Brown’s accessing the system to obtain employee phone numbers warranted discipline as a HIPAA violation. While the Respondent’s general concerns about HIPAA compliance are unquestionably legitimate, the circumstances here lead me to conclude they were seized upon to stop Brown’s union activity.

The judge did not deem it correct for the employer to discipline an employee in this manner for using the tools and training that she was provided with for scheduling social and work events on behalf of the employer, such as organizing a union campaign.

According to the case, it was generally known by workers and supervisors that the EHR was being accessed by employees to obtain the contact details of employees for work purposes, “primarily for last minute scheduling changes,” but also for the “organization of social events”.

The judge ruled that that Brown’s termination did in fact violate Section 8(a)(3) and (1) of the National Labor Relations Act and that Brown must be paid compensation to cover her expenses and be offered her old position back, or an equivalent position if it is no longer available.

Any HIPAA violations caused, would need to be dealt with by the OCR or state attorney general’s office.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.