Ms L argued that accessing – without reading or sharing – patients’ protected health information is not sufficient conduct to find a violation of patients’ confidentiality or privacy rights. However, the court disagreed. “Ms L admits that she repeatedly accessed the census list, which contained numerous forms of protected health information,” wrote the court in its decision. “Ms L denies reading the parts of the list containing the protected information, but she does not deny that she accessed the information and that the information was not necessary for her to complete her job duties. Accessing the unneeded confidential information is a violation of hospital policies put in place to protect patient confidentiality, which Ms L knew or should have known about.” The court dismissed her appeal.
Ms L did not think she was doing anything wrong when she accessed the patient census list. After all, she didn’t read anything – she just looked at the number of patients. She didn’t share any information. So how was this a violation?
It is simple. First, it was a violation of her hospital’s policies. Violating your employer’s policies can get you reprimanded, suspended, or worse. Second, it was a violation of the state’s administrative code regarding patient privacy as determined by the Board of Nursing.
Although Ms L didn’t do anything with the information, the simple act of accessing it in the first place was the violation. The fact that she had no malicious intent when doing it didn’t matter. What mattered was that she was not authorized to access the list, and she had no legitimate patient-related purpose for doing so.
It is essential to know your employer’s policies about information security and patient privacy. Never access records of patients who are not yours or records that you do not have a legitimate reason to look at. Be extremely careful about remotely accessing your employer’s computer system from home; never do so without a very specific reason, and never do so if employee policy forbids it.
While a privacy violation may not rise to the level of a HIPAA violation, it can still be enough (as in this case) to cause you plenty of misery.
Ms Latner, a former criminal defense attorney, is a freelance medical writer in Port Washington, New York.