HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Termination for Nurse HIPAA Violation Upheld by Court

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’

The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician.

Alleged Improper Disclosure of Sensitive Health Information

Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked and made sure appropriate diagnostic tools were available. Hereford also told the technician and the physician that they should wear gloves because the patient had hepatitis C.

After the procedure the patient filed a complaint, alleging Hereford had spoken sufficiently loudly so that other patients and medical staff in the vicinity would have heard that she had hepatitis C. While the complaint was investigated Hereford was placed on administrative leave, and was later terminated for the HIPAA violation – An unnecessary disclosure of confidential health information.

In her action for unfair dismissal, Hereford claimed this was an ‘incidental disclosure’, which is not a violation of HIPAA Rules. Hereford also obtained the professional opinion of an unemployment insurance referee that a HIPAA violation had not occurred. She also claimed defamatory statements had been made about her to the Metropolitan Louisville Healthcare Consortium.

Norton filed a motion to dismiss or, as an alternative, a motion for summary judgement. The Circuit Court granted the motion to dismiss the claim for wrongful termination, as it was deemed there was an unnecessary disclosure of PHI as a physician should not need to be reminded to wear gloves for a procedure to prevent the contraction of an infectious disease. However, the motion to dismiss the defamation claim was denied.

Norton sought summary judgement on the defamation claim and in October 2015, the defamation claim was dismissed with prejudice. The court determined that speaking the truth about the nurse HIPAA violation being the reason for termination could not have defamed Hereford.

Appeals Court Confirms Nurse HIPAA Violation

Hereford subsequently took her case to the Kentucky Court of Appeals. The Court of Appeals found that Hereford could not rely on HIPAA for a wrongful discharge claim as “HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”

With respect to the wrongful dismissal claim, the court based its decision on the minimum necessary standard, which requires any disclosure of PHI to be limited to the minimum necessary to accomplish the necessary purpose – 45 CFR 164.502 – explaining, “Under “HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning.” The court concluded a nurse HIPAA violation had occurred. The Court of Appeals also found the decision of the lower court to dismiss the defamation claim to be correct as there could be no defamation when the Metropolitan Louisville Healthcare Consortium was told the truth about the reason for dismissal.

What Are the Potential HIPAA Violation Penalties for Nurses?

HIPAA violation penalties for nurses who breach HIPAA Rules are tiered, based on the level of negligence. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules.

The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. The penalty amounts are determined by the Department of Health and Human Services, or by state attorneys general when they decide to issue penalties for HIPAA violations.

What is the Maximum HIPAA Violation Penalty for Nurses

The maximum penalty for a single HIPAA violation is $50,000 per violation or per record, with an annual maximum of $1.5 million per violation category.

Serious violations of HIPAA Rules can warrant criminal charges for HIPAA violations, and in addition to financial penalties jail time is possible. Criminal violations of HIPAA Rules are handled by the U.S. Department of Justice.

Nurses who knowingly obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and up to one year in jail. If an offense is committed under false pretenses, the criminal penalties rise to a fine of up to $100,000 and up to 5 years in jail. If there is intent to sell, transfer, or illegally use PHI for personal gain, commercial advantage, or malicious harm, the maximum penalty is a fine up to $250,000 and up to 10 years in jail.

When there has been aggravated identity theft, the Identity Theft Penalty Enhancement Act requires a mandatory minimum prison term of two years

Nurse HIPAA Violation Cases

Listed below are some of the recent nurse HIPAA violation cases covered on HIPAA Journal.

Glendale Adventist Medical Center Nurse Fired for HIPAA Violation

Minnesota BCBS Nurse Accused of Unauthorized Accessing of Minnesota Board of Pharmacy Database

Virginia Nurse Charged with Bank Fraud and Identity Theft

Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access

Minnesota Hospital Fires 32 Over HIPAA Violation

Employees Fired over Sharing of Degrading Photos of Patients on Snapchat

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.