Norton Audubon Hospital has revealed that a HIPAA violation that a patient alleged took place led to the termination of the registered nurse’s employment contract.
The nurse in question, Dianna Hereford, initiated a legal action in the Jefferson Circuit Court alleging her employer illegally terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’
The incident that led to her sacking was a supposed impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was helping with a transesophageal echocardiogram. When the alleged HIPAA violation took place, the patient was in an examination area that was separated from other areas using a curtain. Hereford was present along with a physician and an echocardiogram technician.
Hereford informed the court that she performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, reviewed to make sure the site of the procedure was clearly marked and made sure proper diagnostic tools were being used. Hereford also informed the technician and the physician that they should don gloves because the patient had hepatitis C.
After the procedure the patient submitted an official complaint, alleging Hereford had spoken loud enough for other patients and medical staff in the vicinity to have heard that she had hepatitis C. While the complaint was reviewed Hereford was placed on administrative leave, and was later sacked due to the HIPAA violation – an unnecessary disclosure of confidential health information.
In her unfair dismissal legal action, Hereford said that she was of the belief that this was an ‘incidental disclosure’, which is not a breach of HIPAA Rules. Hereford also obtained the professional opinion of an unemployment insurance referee that a HIPAA violation had not taken place. She also claimed defamatory statements had been made about her to the Metropolitan Louisville Healthcare Consortium.
Norton submitted a motion to dismiss or, as an alternative, a motion for summary judgement. The Circuit Court granted the motion to throw out the claim for wrongful termination, as it was deemed there was an unnecessary disclosure of PHI as a physician should not need to be reminded to don gloves for a procedure to prevent the contraction of an infectious disease. However, the motion to dismiss the defamation claim was denied.
Norton sought summary judgement on the defamation claim and in October 2015, the defamation claim was dismissed with prejudice. The court determined that speaking the truth about the nurse HIPAA violation being the reason for termination could not have defamed Hereford.
Hereford next took her case to the Kentucky Court of Appeals. The Court of Appeals ruled that Hereford could not rely on HIPAA for a wrongful discharge claim as “HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”
In relation to the wrongful dismissal claim, the court based its decision on the minimum necessary standard, which requires any disclosure of PHI to be limited to the minimum necessary to accomplish the necessary purpose – 45 CFR 164.502 – outlining, “Under “HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning.” The court concluded a nurse HIPAA violation had occurred. The Court of Appeals also found the decision of the lower court to dismiss the defamation claim to be correct as there could be no defamation when the Metropolitan Louisville Healthcare Consortium was informed the truth about the reason for dismissal.
What Are the Potential HIPAA Violation Fines for Nurses?
HIPAA violation fines for nurses who breach HIPAA Rules are tiered, based on the level of negligence. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules.
The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. The penalty amounts are calculated by the Department of Health and Human Services, or by state attorneys general when they decide to issue penalties for HIPAA violations.
What is the Maximum HIPAA Violation Fine for Nurses
The maximum fine for a single HIPAA violation is $50,000 per violation or per record, with a yearly maximum of $1.5 million per violation category.
Serious breaches of HIPAA Rules can warrant criminal charges for HIPAA violations, and along with financial penalties jail time is possible. Criminal violations of HIPAA Rules are managed by the U.S. Department of Justice.
Nurses who intentionally obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and up to 12 months in jail. If an offense is committed under false pretenses, the criminal penalties rise to a fine of up to $100,000 and up to 5 years in jail. If it can be shown that there is intent to sell, transfer, or illegally use PHI for personal gain, commercial advantage, or malicious harm, the maximum fine is a fine up to $250,000 and up to 10 years in jail.