Written By: Janie Ratliff-Sweeney

Even with the best standards and practices in place, hospitals, doctors’ offices and other medical institutions are only as good at patient health data privacy as the employees who handle the data on a daily basis. Employee mistakes put medical organizations at legal risk if data is improperly disclosed.

In a recent ruling, the Kentucky Court of Appeals upheld an employer’s right to discharge an employee for a Health Insurance Portability and Accountability Act (HIPAA) violation. Dianna Hereford, a hospital nurse, after prepping a patient behind a curtain for a procedure, told the physician and technician performing the procedure that the patient had Hepatitis C and advised them to wear gloves. The patient later filed a complaint, saying that Hereford spoke loudly enough to be heard by other patients and medical personnel and thus improperly disclosed private health information. Hereford argued she didn’t commit a violation, but the court found that she may have and that, in any case, the hospital had the right to fire her as an at-will employee.

The case, Hereford v. Norton Healthcare Inc. dba Norton Audubon Hospital, highlights the importance of careful employee training on HIPAA compliance and of making sure employees realize that insensitivity to patients and the appearance of improper disclosure can be as problematic as actual privacy violations.

In another case, in Tennessee, an EMS medic posted on Facebook about a man who died of a heart attack in his chicken coop, where his wife and EMS workers tried to revive him. In the post, the medic wrote that treating a patient in a chicken coop “was a first” and complained about the smell of chicken droppings. Even though the medic did not reveal private health information about the victim nor mentioned him by name, the man’s wife argued that mentioning the patient was treated in a chicken coop was enough that people in the community who knew the man could easily recognize the Facebook post was about him.

The lesson that healthcare organizations and their employees can draw from these cases is the importance of teaching employees that improper verbal communication — not just information on paper or data in a computer system — may also rise to the level of a HIPAA violation.

If you have questions about your organization’s HIPAA compliance and training programs, call a knowledgeable employment law attorney at Hemmer DeFrank Wessels, PLLC at [ln::phone] or contact us online.