Ms L was a nurse practitioner working in the neurology department of a major medical center. She had been working at that job for more than 10 years and had worked in the field of neurology for more than 2 decades. Ms L specialized in treating patients with multiple sclerosis, as well as those with headache disorders. 

Although she enjoyed her work, Ms L felt that it was time for a change and accepted a job offer from a large neurology practice. As she was winding down her work at the medical center, she asked her administrator for a list of patients she had treated so that she could ensure their continuity of care. The administrator, believing this to be a legitimate request to assist in ensuring that the patients had a smooth transition to a new practitioner, provided Ms L with a document including information on more than 3000 patients she had treated during her time at the medical center. The list included the patients’ names, addresses, dates of birth, and diagnoses. 

To Ms L, “continuity of care” meant letting the patients know where she was going so that they could switch providers if they chose. To the administrator, “continuity of care” meant ensuring that the next clinician to care for that patient would understand the patient’s case. 

Ms L gave the document to her future new employer, the neurology practice. A representative of the practice then sent letters to all of Ms L’s patients, notifying them that Ms L would be working at the practice and advising them about how to switch their care from the medical center to the neurology practice. 

Staff at the medical center discovered that Ms L had shared the document when they began receiving angry calls from patients who had received the letter and were upset that their personal information had been shared. Officials at the medical center interviewed Ms L; she was subsequently suspended and ultimately terminated. 

The medical practice where Ms L was to have started working was notified that neither the medical center nor its patients had consented to the sharing of the document containing the patient information. Upon being notified, the medical practice immediately returned the document and deleted any patient information it had. It also rescinded its job offer to Ms L. 

The incident triggered an investigation by both the state attorney general and the federal Office of Civil Rights, which is the agency that enforces violations of the Health Insurance Portability and Accountability Act (HIPAA). The medical center was accused of not protecting the personal health information of its patients and not properly training its employees on policies and procedures to protect such health information. A settlement was reached with the state attorney general, requiring the medical center to pay a $15,000 fine, to train staff on the handling of protected health information, and to report any breaches that may occur over the next 3 years to the attorney general. The medical center also contacted the affected patients to explain what had happened and instituted a new privacy policy paying particular attention to how patient information is handled when employees leave or join the medical center. The Office of Civil rights, aware of the action by the state attorney general, ultimately decided against launching its own enforcement action. 

Related Articles

“This settlement strengthens protections for patients,” said the attorney general in a statement, “and it puts other healthcare entities on notice that my office will enforce HIPAA data breach provisions. Other medical centers, hospitals, healthcare providers and healthcare entities should view this settlement as a warning and take the time now to review and amend, as needed, their own policies and procedures to better protect private patient information.”

Ms L’s troubles were not over, however. In addition to losing her current job with the medical center and her future job with the medical practice, the state licensing board began an action against her. Upon the advice of her attorney, and because she felt that she had few options, Ms L signed a consent order with the state nursing board’s Office for Professional Discipline in which she admitted to violating HIPAA. As part of the settlement, Ms L’s license was suspended for a year, and she received another year of a stayed suspension and 3 years’ probation. Following this period, she returned to practice.