Recently, a case highlighted how one medical provider appropriately managed its HIPAA compliance by consistently enforcing its policies and keeping tabs on who accessed protected health information. While the case involves a provider, employers with health plans subject to HIPAA can also learn some valuable lessons from this case.
Lankenau Medical Center is an acute care hospital that is part of Main Line Health, a not-for-profit health system. Gloria Terrell worked as an operating room secretary for Lankenau for more than 35 years. As an OR secretary, Terrell was responsible for the OR schedule, calling for patients, sending for blood and medications, patient billing and charts, office supplies, ordering uniforms, and other related duties.
In her capacity as OR secretary, Terrell had access to the hospital system used to store various forms of protected health information such as patient names, dates of birth, social security numbers, phone numbers, and insurance information. However, she did not have access to patient medical charts. As in many healthcare organizations, employees were often also patients of Lankenau.
On August 15, 2016, Terrell accessed a coworker’s home phone number in the MLH system. Seven days later Terrell accessed it again. Generally, employee phone numbers are kept in a list on a clipboard in the OR. However, the clipboard had been missing on both occasions.
As a medical provider, MLH is subject to the privacy regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). In particular, MLH has a number of policies and processes designed to ensure the privacy of patient information and compliance with HIPAA:
1. Confidentiality Policy – requires employees to safeguard various types of private and/or protected information. Employees have to sign a confidentiality statement that the employee will only access patient/employee information “about whom I have business need to know”.
2. Code of Conduct and Behaviors that Undermine a Culture of Safety (“Code of Conduct”) – prohibits unauthorized disclosure, access, and/or release of confidential, Protected Health Information (“PHI”) and prohibits unauthorized use of the MLH systems.
3. Annual HIPAA training and testing – employees are required to complete annual HIPAA training and testing which includes explanations and examples of the HIPAA compliance rules such as:
a. PHI under the MLH policy includes “any information identifiable to a patient” such as name, address, email, etc.
b. The patient must authorize disclosure unless it is needed for treating the patient, patient payment, or health care operations
c. Employees are instructed, and acknowledge, that they must “access only information you need to do your job” and “use the information to perform your job only”
To monitor for compliance, MLH implemented privacy monitoring technology. The technology monitored employee system usage for access to Personally Identifiable Information (“PII”) and/or PHI to identify usage that is not based on legitimate business purposes.
Employees who violate MLH policy are subject to a performance management policy that includes disciplinary action up to and including termination. It was a violation of the policy to access “PHI outside the scope of job duties (to compare coworker workloads, learn about clinical operations)” and/or check “on a coworker, family member or neighbor”.
Terrell’s Conduct and Policy Violations and the Fallout
Terrell’s access on August 15 was flagged by a technology monitoring system. As a result, MLH launched an investigation and found Terrell’s second access that occurred seven days later.
In her defense, Terrell claimed she believed that she had a legitimate business need. On both occasions Terrell claimed she wanted to call the employee to be sure she was coming in to work on that day. However, Terrell’s supervisor testified that this was not part of her regular duties and neither the supervisor nor the coworker gave her permission to access the employee’s home phone number in the MLH system.
Because Terrell’s access to MLH’s system was not permitted, MLH found that Terrell had violated its policies. Given the seriousness of her violations, even after 35 years, MLH terminated Terrell’s employment.
Subsequently, Terrell filed an age discrimination claim arguing that the termination was not because of her violations, but instead because of her age. Plaintiff claimed that the reason for her termination was really a “pretext” for age discrimination.
To show pretext, the Terrell had to demonstrate that the hospital had acted inconsistently in the past and in favor of those who are not protected by the Age Discrimination in Employment Act (i.e. under age 40). The court rejected this argument stating that Terrell had provided no evidence of her allegations of pretext.
The court emphasized that the employer had several policies in place that specifically and clearly prohibited Terrell’s conduct. Additionally, the court found that the employer provided training and had consistently enforced these policies regardless of the employee’s age. Terrell’s behavior violated HIPAA, MLH’s Confidentiality Policy, and its Code of Conduct and that was a legitimate reason for her termination. Moreover, termination was the contemplated consequence for the violation of each of these MLH policies.
What was right
This is a great example of what an employer should do! Employers that are, or that have plans, subject to HIPAA should:
✓ Ensure you have HIPAA and disciplinary policies that are well written, clear, and understandable
✓ Provide examples of prohibited conduct
✓ Enforce your policies consistently and across the board – don’t make exceptions or vary your response to similar violations and misconduct
✓ Ensure that employees are trained and tested on a regular basis – here, MLH trained and tested employees annually
✓ Monitor employee conduct and behavior for compliance – whether you implement technology system or manually monitor employees, staying on top of employee’s conduct is essential
✓ Be sure that if you are a medical provider that provides care to your employees that they are included in the protections offered by your policies
Carrie Cherveny is the Senior Vice President of Strategic Client Solutions in HUB’s Risk Services Division. She has 20 years of combined experience in employee relations working on the management side providing human resources, employment law, and employee benefits legal guidance.