Ms. B was a nurse practitioner working in a hospital 
obstetrics/gynecology department. It was her first job out of school, and she’d been working there for seven years. She liked her work well enough, and best of all, over the past two years, she had been able pay off her student loans and purchase her first home. Her reviews from her supervisors were all generally positive, and Ms. B felt that her life was finally beginning. 

Ms. B’s feelings about her job all changed one morning when she was called into her supervisor’s office. The supervisor looked unusually grim, and the director of human resources was there as well. Ms. B was asked to take a seat.

“As you know,” began the supervisor, “we recently conducted a random audit of our computer system to determine if there have been any HIPAA violations. We take patient privacy very seriously here as you know. You have been working here about seven years, right?”

Continue Reading

Ms. B nodded.

“Well, then,” the supervisor continued, “you already know how seriously we take HIPAA, because you must have seen the mandatory multimedia presentation. We show it in the hospital about twice each year.”

“I have seen that,” confirmed Ms. B.

“Then you know that it’s a violation of HIPAA to access the records of people who are not your patients?”

“Yes,” said Ms. B.

“I am sorry to inform you that the hospital is terminating your employment immediately on the basis of your actions. We have discovered that you accessed the records of four elderly male patients whom you were not treating. In addition, we 
also discovered that you were accessing your own records last year. I’m sorry, but I need to ask you to gather your belongings so that you can be escorted out.”

Ms. B immediately tried to explain that she occasionally had trouble using the computer system and had pulled up the records of the four male patients accidentally, but had closed the files as soon as she realized her mistake, within a minute. 

“And my own records are mine!” protested Ms. B. “How am I violating anyone’s privacy by looking at my own records?”

The supervisor told Ms. B that looking at her own records was a violation of the hospital policy and that she was supposed to request them the same as any other patient. 

Ms. B had never been fired from a job before, and fought the urge to cry. Before she knew it, she was standing outside her car with a half-filled cardboard box containing the few small items that represented seven years at that job. As the days went by, Ms. B’s initial shock and embarrassment at being fired turned to anger. 

“I don’t need them,” she told herself. “I was getting tired of working there anyway. I’d rather work in a physician’s office.”

She began to apply for other positions, but found it was much more difficult to get a job in the current economy. Meanwhile, the bill for her health insurance arrived, her mortgage payment had to be made each month, and bills had to be paid. Ms. B’s meager savings were soon gone, but she took comfort in knowing that at least she had applied for unemployment insurance benefits, and that should be starting soon.

The situation went from bad to worse when Ms. B received a letter from the unemployment office rejecting her claim. According to the letter, she was ineligible for unemployment benefits because she had been discharged for “employment misconduct.” She appealed the ruling, but an unemployment law judge rejected the appeal. 

Months had now passed. Ms. B was applying for jobs, but rarely getting interviews. And when she did get an interview, she worried about who she might use as a reference from her old job. No employment offers were forthcoming, her mortgage was now in arrears, and Ms. B was seriously considering dropping her expensive COBRA insurance coverage. 

She finally called a local legal- services office that offered low-cost help to financially strapped people. There Ms. B met with an attorney who listened to her story and suggested that she contact the state appellate court. The Court of Appeals accepted the case, and papers were filed by both the hospital and Ms. B.

After reviewing all the motions, the Court of Appeals overturned the unemployment judge’s decision and ruled that 
Ms. B was entitled to collect unemployment benefits.

Legal background

The Court of Appeals agreed with Ms. B that her accessing the records of the four patients was clearly inadvertent, as evidenced by the fact that she logged off as soon as she realized her error. The main point left for the court to decide was whether accessing one’s own records was a violation of HIPAA.

The court noted that Ms. B accessed her records three times during a one-week period when she was trying to reach her supervisor about a laboratory result. The court also noted that the hospital’s multimedia HIPAA training presentation, which employees were required to view, did not include any information about looking up one’s own records, just the records of others.

Even if the hospital had a policy against accessing one’s own records, and even if Ms. B knew about this policy (which she claimed she did not), the court held that Ms. B’s actions were not “employment misconduct sufficient to disqualify this long-term employee from receiving unemployment benefits.”

“No actual harm or risk of harm in exposing private information occurred when Ms. B consulted her own medical records,” stated the court. “Ms. B’s consultation of her own medical records does not show a serious violation of the standards of behavior the employer has the right to reasonably expect of the employee that would meet the definition of employment misconduct.”

The court declined to address the issue of whether Ms. B should have been fired over the hospital’s policy against accessing one’s own records, but ruled that she did not violate HIPAA and did not commit employment misconduct, and that she was entitled to unemployment benefits. 

Protecting yourself

Complying with HIPAA is very important, and employers take this rule very seriously. Practitioners have been fired for accessing the records of relatives, friends and even celebrities who were not their patients. Yet, mistakes can happen.

If you work in the same place where you receive health-care services, it is not a HIPAA violation to view your own records, but it may be a violation of your employer’s policy. Before you access any records that are not those of a patient you are currently treating, you should find out whether there is a protocol in place for this. 

Ann W. Latner, JD, is a former criminal defense attorney and a freelance medical writer based in Port Washington, N.Y.