Ms D worked for a large hospital as the director of risk management. Her duties involved resolving patient complaints and reporting potential safety issues and regulatory noncompliance to her supervisors and the state’s department of health. In her time at the hospital, Ms D had never been disciplined or censured. On the contrary, she had received positive performance reviews and bonuses based on merit.

When she was hired 5 years earlier, she had been provided with a copy of the hospital’s policies and procedures to review and sign off on and was told that she would have to abide by the hospital’s rules. The policies addressed access to patient records, ethical and professional standards, code of conduct, and compliance with patient privacy laws.

One day Ms D’s friend was admitted to the emergency department. The following day the friend asked Ms D for a copy of her medical records. Ms D properly had her friend sign the release form required to obtain the records. However, Ms D did not go through the proper channels to obtain the medical records. Instead, she asked Ms L, a young nurse, to obtain them.


Continue Reading

Ms L denied this request. When pressed again, the Ms L said that that this was not the proper procedure for procuring medical records. Eventually, Ms D left.

A nurse practitioner working nearby, Ms N, overheard the interaction and was alarmed at what she perceived as the director of risk management pressuring the nurse. Ms N reported the interaction to the hospital’s compliance officer, citing a violation of both hospital policy and the Health Insurance Portability and Accountability Act (HIPAA). The compliance officer opened an investigation into the allegation. A week later, the hospital suspended Ms D pending the outcome of the investigation by the compliance officer.

The compliance officer interviewed Ms L, Ms N, and other staff who said they had been asked by Ms D to help procure her friend’s medical records. The information was presented to a group made up of the hospital’s senior vice president and chief nursing officer, chief operating officer, and chief executive officer. The officers were concerned about the information presented by the compliance officer.

The group considered imposing lesser discipline, but in the end concluded that because Ms D was a director she should be held to a higher standard. The hospital terminated Ms D’s employment for violation of hospital policies concerning patient privacy.

The Lawsuit

Ms D hired a plaintiff’s attorney and sued the hospital for retaliation and wrongful termination. The hospital filed a motion for summary judgment, asking that the case be dismissed. The hospital argued that Ms D had been terminated from her job for abusing her authority and intimidating staff to obtain a patient’s hospital records in violation of hospital policies.

To support its motion, the hospital included copies of hospital policies, as well as excerpts from the depositions of Ms L, Ms N, and the compliance officer. Specifically, the motion mentioned 3 hospital policies: the first required a patient’s request for medical records to go through the hospital’s Medical Records Department; the second directed employees to avoid conflicts of interest or the appearance of conflicts of interest; and the third instructed employees to demonstrate respect for fellow employees and to refrain from intimidating or using condescending language.

In depositions, the compliance officer testified that he was informed that Ms D sought to obtain a copy of a patient’s medical record. He stated that he was told by the nurse that Ms D had tried to intimidate her and that other staff had complained that Ms D tried to leverage her position to obtain a friend’s medical records.    

In response, Ms D claimed that she had been fired in retaliation for complaints she had made about the nurse, nurse practitioner, and other employees of the hospital in the past as part of her job. She denied possessing or reviewing her friend’s medical records or pressuring anyone to obtain them and claimed that she was merely helping her friend to obtain the records for herself.

The court found that the hospital had articulated a legitimate, nonretaliatory reason for firing Ms D, and that Ms D had failed to rebut this or to present evidence supporting a nexus between any protected action and her discharge. The court held that a risk manager’s job is to report patient health and safety issues to management and cannot be considered a whistle-blower for fulfilling that core function. The court noted that Ms D’s earlier reports to supervisors about patient health and safety concerns had not resulted in disciplinary action but rather in positive reviews and performance bonuses. The former risk manager had abused her authority by trying to coerce a nurse to circumvent the proper channels to obtain confidential protected patient health information, said the court. She had violated the hospital’s policies including those meant to protect the hospital from sanctions for HIPAA violations. The court held that Ms D did not have a valid cause of action and dismissed the case.

Protecting Yourself

It is important to know, understand, and follow your employer’s policies and procedures. In Ms D’s case, considering that she was the hospital’s director of risk management it was even more imperative that she follow these policies and procedures. Although Ms D did take the correct first step by having her friend sign a medical release for the records, she failed to follow the hospital’s procedures to obtain those records and sought a shortcut by trying to pressure a nurse to help her.

It is also important to note that whistleblower protections do not apply when the job itself is to report health and safety issues. This case illustrates the importance of avoiding shortcuts, following procedures, treating fellow employees as you would wish to be treated.

Ann W. Latner, JD, a former criminal defense attorney, is a freelance medical writer in Port Washington, New York.