When we hear about privacy issues in the medical field, we almost immediately think about violations of The Health Insurance Portability and Accountability Act (HIPAA). Although many privacy issues do not rise to the level of a HIPAA breach, they still may be significant enough to get a clinician fired or censured by the state nursing board. This month we look at one such case.
Ms L was a nurse working in a large suburban hospital. She had many years of experience in general but had been working for the hospital for less than a year. Ms L was assigned to the intensive care unit (ICU). Five nurses were assigned to each shift, and the last one on the list was flexible depending on the number of patients in the ICU. If the patient census was low, the last nurse on the list would be put on call and would not have to work the shift. Nurses could call the charge nurse on the unit earlier in the day to find out if they would be needed for an assigned shift.
In order to determine if she would have to come in for a shift, Ms L remotely accessed the patient census list from the hospital from her home, using her personal computer. The patient census list from the ICU contained private health information including patient names, ages, diagnoses, medications, and insurers. Over the course of 1 month, Ms L remotely accessed the patient census list 11 times.
The hospital discovered the remote access the next month and questioned Ms L about it.
“Yes,” she said to her supervisor. “I did access the list. I did it so I could see the capacity in the ICU to know whether I would be needed at work.”
“As you know, the hospital’s information security policy prohibits remote access to the computer system without authorization, which you did not have,” said Ms L’s supervisor, Ms S. “Nor did you need to access the list to treat a patient or for any other legitimate job responsibility.”
The supervisor issued Ms L an employee disciplinary notice, suspended her for 2 shifts, and required her to repeat a HIPAA training class.
Additionally, the supervisor filed a complaint with the state Board of Nursing. The Board began its own investigation and found probable cause to file a notice of hearing and statement of charges against Ms L, alleging that she violated state code regarding privacy rights of patients. A hearing took place, after which the Board made the following finding of facts:
- Ms L had accessed the patient lists for the sole purpose of determining the ICU census so that she could determine whether she would be working her shift the next day or be placed on call.
- Ms L did not use the information for any other purpose, and she did not share it with anyone.
- Ms L was not authorized to access the patient lists from remote locations.
- Ms L did not need the patient list information in order to perform her duties.
The Board found that Ms L had committed unethical conduct by violating the confidentiality or privacy rights of patients by accessing protected health information on the census lists without the need to do so. As punishment, the Board imposed a citation and a warning as discipline.
Ms L filed an application for a rehearing with the Board, claiming the Board’s finding was unsupported by the evidence and inconsistent with the Board’s findings that she did not use or share the information.
The Board denied her application, repeating that accessing the protected health information without a legitimate reason was sufficient to find that Ms L had violated the confidentiality or privacy rights of patients. The Board also noted that it had fully considered the circumstances of the violation (ie, that Ms L didn’t understand that her actions violated patient privacy, that she did not disclose the information to anyone else, and that the hospital determined her actions were not a reportable HIPAA breach) when it chose to impose the least severe sanction available: a citation and a warning.
Unsatisfied, and angry at what she felt was mistreatment, Ms L filed a petition for judicial review, asking the court to overturn the Board’s ruling.