Arkansas Court Rules that PHI Retention by Employees is not a HIPAA Breach

Two employees who retained the Protected Health Information (PHI) of patients after their employment at Arkansas Children’s Hospital was terminated, did not violate the Health Insurance Portability and Accountability Act (HIPAA) according to a rulign made by the U.S District Court of the Western Division of the Eastern District of Arkansas.

Pam and Eben Howard took an action against Arkansas Children’s Hospital – Dr. Ron Robertson and Jon Bates – after their contracts of employment were terminated. They believed their their jobs were terminated because they highlighted a number of problems relating to how the healthcare provider billed the government. They have claimed that the healthcare supplier violated the 1st and 14th Amendments, the Arkansas Civil Rights Act, the Public Policy of the State of Arkansas and the False Claims Act.

While working at ACH, the pair collected a considerable volume of PHI of patients. After what the pair thought to be unfair termination of contracts, the PHI was not returned. It was also given to an unauthorized third party.

Under usual circumstances, any employee retaining PHI of patients after employment is terminated would be breaching HIPAA Rules. Data should only be accessed by authorized people. While the pair were authorized to view the data, those access rights stopped when their employment contract ended. They should not have disclosed that information to any other unauthorized person. However, there are some exceptions to these privacy rules.

The plaintiffs claim that they were allowed to retain PHI and disclose it to their attorney, as they come within HIPAA’s whistleblower protections; a claim which is denied by the healthcare supplier. ACH maintains that the Howards breached HIPAA Rules by keeping data and giving it to their attorney.

A motion was submitted by the defendants for a partial summary judgement on the basis that the Howards were not entitled to protection as whitstleblowers under the False Claims Act. The court thought differently.

No HIPAA violation was caused because the plaintiffs were memebrs of staff at the hospital prior to termination – when PHI was collected; the plaintiffs believed that the hospital was acting in an illegal manner and violated professional standards; and the disclosure of PHI was to an attorney, solely for the purpose of obtaining legal opinion.

The partial summary judgement was denied, with the court decreeing “To the extent that the defendants seek judgment that the plaintiffs are not whistleblowers under HIPAA, the motion is denied on the merits.”