A North Audubon Hospital registered nurse had her employment contract terminated as a penalty following an allegation by a patient that she had violated HIPAA regulations. Dianna Hereford contested the termination on the grounds of a HIPAA violation by filing an action in Jefferson Circuit Court and stating she had “strictly complied with HIPAA regulations”.
The cause of the termination was an alleged impermissible disclosure of protected health information (PHI) before assisting a transesophageal echocariogram in North Audubon’s Post Anesthesia Care Unit. The concerned patient was in an examination area separated from its surroundings by a curtain. As well as Ms. Hereford, a physician and echocardiogram technician were present.
Alleged Improper Disclosure of Sensitive Health Information
Prior to the procedure, Hereford took time with the patient to describe the procedure, ensured the procedure site was appropriately indicated, and that the various diagnostic tools were to hand. Hereford noted that the technician and physician should wear gloves as the patient had hepatitis C.
Following the procedure, a complaint was made by the patient who alleged that other patients and staff could have learned her condition as Ms. Hereford had spoken loudly enough for them to hear. Ms. Hereford was placed on administrative leave as the incident was being investigated, resulting in her termination for an unnecessary disclosure of confidential health information, a violation of HIPAA regulations.
Hereford argued that her dismissal was unfair as the actions should be regarded as an ‘incidental disclosure’, which does not violate HIPAA rules. To support her claim, she pointed to the professional opinion of an employment insurance referee who said that no HIPAA violation had taken place. Hereford also alleged that she was the subject of defamatory statements made to the Metropolitan Louisville Healthcare Consortium.
A motion was filed to dismiss the case by Norton, or alternately for a summary judgment. The motion to dismiss the wrongful termination claim was granted by the Court as it was seen as unnecessary to remind a physician to wear gloves during a procedure to prevent the contraction of an infectious disease. The defamation claim was not dismissed.
In October of 2015, the defamation claim was dismissed with prejudice after Norton sought a summary judgment. The court ruled that no defamation occurred as Norton were telling the truth when they cited Ms. Hereford’s HIPAA violation as the reason for termination.
Appeals Court Confirms HIPAA Violation Judgment Against Nurse
The case then went before the Kentucky Court of Appeals, which stated that “HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees”. Ms. Hereford could not argue for wrongful discharge by relying on HIPAA rules.
When determining the wrongful dismissal action, the court’s ruling was made in respect to the minimum necessary standard. This standard restricts the disclosure of PHI to the absolute minimum needed to carry out the necessary purpose – 45 CFR 164.502 – further stating that “Under HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning”. It was the verdict of the court that HIPAA had been violated by the nurse. The dismissal of the defamation claim was also upheld on similar grounds – no defamation took place when the reason provided to the Metropolitan Louisville Healthcare Consortium for the dismissal was accurate.
What Penalties Could Nurses Face for Violating HIPAA?
There are four separate disciplinary tiers that apply to nurses who breach HIPAA Rules. They are judged on the level of negligence shown, from unknowing to willful negligence.
Each tier has a minimum fine per violation: $100 for tier one; $1,000 for tier two; $10,000 for tier three; and $50,000 for tier four. The final sum is decided by the Department of Health and Human Services, or by the relevant state’s Attorney General, once it has been determined that a penalty is to be imposed following a HIPAA violation.
Is There a Maximum HIPAA Violation Fine for Nurses?
A single HIPAA violation or record carries a maximum penalty of $50,000. Each category of violation is subject to an annual maximum of $1.5 million in fines.
Severe HIPAA violations may lead to criminal charges and a custodial sentence may be given as well as a fine. The Department of Justice deals with criminal violations of HIPAA Regulations.
A nurse who knowingly obtains or discloses individually identifiable PHI could be subject to $50,000 in financial penalties and could face a one year jail sentence. These punishments rise to $100,000 and five years if it is found that the offense was committed under false pretenses. Selling, transferring, or illegally using PHI for commercial advantage, personal gain, or to cause malicious harm could lead to maximum penalties of up to $250,000 and ten years in jail.
In the case of an aggravated identity theft, the Identity Theft Penalty Enhancement Act requires a mandatory minimum prison term of two years.