HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Retention by Employees not a HIPAA Breach Says Ark. Court

The U.S District Court of the Western Division of the Eastern District of Arkansas has ruled that two employees who retained the Protected Health Information (PHI) of patients after their employment at Arkansas Children’s Hospital was terminated, did not violate the Health Insurance Portability and Accountability Act (HIPAA).

Unfair Contract Termination after Discovery of Billing Irregularities


Pam and Eben Howard brought an action against Arkansas Children’s Hospital – Dr. Ron Robertson and Jon Bates – after their employment contracts were terminated. They believed their lost their jobs because they highlighted a number of issues relating to how the healthcare provider billed the government. They have accused the healthcare provider of violating the 1st and 14th Amendments, the Arkansas Civil Rights Act, the Public Policy of the State of Arkansas and the False Claims Act.

Potential HIPAA Violations for Retention of PHI and Unauthorized Disclosure


While employed at ACH, the pair collected a considerable volume of PHI of patients. After what the pair considered to be unfair termination of contracts, the PHI was not returned. It was also disclosed to an unauthorized third party.

Under normal circumstances, any employee retaining PHI of patients after employment is terminated would be in violation of HIPAA Rules. Data can only be accessed by authorized individuals. While the pair were authorized to view the information, those access rights stopped when the individuals’ employment contract ended. They should not have disclosed that information to any other unauthorized individual. However, there are exceptions to these rules.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The plaintiffs claim that they were permitted to retain PHI and disclose it to their attorney, as they fall under HIPAA’s whistleblower protections; a claim denied by the healthcare provider. ACH maintains that the Howards violated HIPAA Rules by keeping data and disclosing it to their attorney.

No HIPAA Violations Says Arkansas Court


A motion was filed by the defendants for a partial summary judgement on the grounds that the Howards were not entitled to protection as whitstleblowers under the False Claims Act. The court thought differently.

No HIPAA violation was caused because the plaintiffs were employed by the hospital prior to termination – when PHI was collected; the plaintiffs believed that the hospital was acting in an unlawful manner and violated professional standards; and the disclosure of PHI was to an attorney, solely for the purpose of obtaining legal opinion.

The partial summary judgement was denied, with the court ruling “To the extent that the defendants seek judgment that the plaintiffs are not whistleblowers under HIPAA, the motion is denied on the merits.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.