Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent article in Medical Practice Compliance Alert entitled “Beware of HIPAA, Patient Privacy During Practice Employment Disputes.” The full text can be found in the March 30, 2015 issue of Medical Practice Compliance Alert, but a synopsis is below.
The opinion in the case of Peace et al. v. Premier Primary Care Physicians S.C. et al. (the “Peace Case”) in the U.S. District Court for the Northern District of Illinois highlights how privacy rights do not give physician practices free rein to use patient information for their own purposes without potential serious legal fallout. In the Peace Case a physician practice group (the “Practice”) terminated two employees, citing, among other things, poor job performance and rude and unprofessional behavior to patients. The Practice then refused to reveal to the terminated employees the names of specific patients who had purportedly complained of such unprofessional behavior.
The District Judge sided with the former employees to some extent and ordered the Practice to provide contact information for a limited number of such patients, so that the terminated employees could contact and interview them as part of the discovery process in their employment lawsuit against the Practice. Elizabeth observed, “The physicians had enough information [to justify the termination] without putting patients in the middle. The [P]ractice put itself in a position to now have to turn over patient information and alienate patients.”
The Peace Case also demonstrates the confusion surrounding privacy rights, as the Practice may have violated HIPAA patient privacy requirements by having to disclose patient protected health information (“PHI”) without authorization. Unfortunately, Elizabeth suspects, the judge and attorneys in the Peace Case appeared not to have known much about HIPAA, so its applicability was not adequately addressed. I was quoted as adding the following to Elizabeth’s point:
It looks like the judge factored a remedy designed to pressure them [the Practice and the terminated employees] to settle. Even if the [former] employees were entitled to PHI in their employment suit, HIPAA likely was not followed. There was neither protective order [limiting the disclosure] nor [adherence to HIPAA’s] minimum necessary requirements. Either party would have helped their cases here by invoking HIPAA.
Practices should also take caution when using PHI and identities of patients to justify employment decisions. “The [P]ractice should have downplayed the role of patients,” Elizabeth advised.
In summary, in order for physicians to protect their practices, they must be certain that the practice and its legal counsel understand HIPAA obligations with respect to privacy and security in the context of employment disputes. The judge may need guidance in this area or even to be alerted that HIPAA may be an issue.