Court Holds Up Termination for Nurse HIPAA Violation

by | Aug 11, 2020

Norton Audubon Hospital  has revealed that a HIPAA violation that a patient alleged took place led to the termination of the registered nurse’s employment contract.

The nurse in question, Dianna Hereford, initiated a legal action in the Jefferson Circuit Court alleging her employer illegally terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’

The incident that led to her sacking was a supposed impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was helping with a transesophageal echocardiogram. When the alleged HIPAA violation took place, the patient was in an examination area that was separated from other areas using a curtain. Hereford was present along with a physician and an echocardiogram technician.

Hereford informed the court that she performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail,  reviewed to make sure the site of the procedure was clearly marked and made sure proper diagnostic tools were being used. Hereford also informed the technician and the physician that they should don gloves because the patient had hepatitis C.

After the procedure the patient submitted an official complaint, alleging Hereford had spoken loud enough for other patients and medical staff in the vicinity to have heard that she had hepatitis C. While the complaint was reviewed Hereford was placed on administrative leave, and was later sacked due to the HIPAA violation – an unnecessary disclosure of confidential health information.

In her unfair dismissal legal action, Hereford said that she was of the belief that this was an ‘incidental disclosure’, which is not a breach of HIPAA Rules. Hereford also obtained the professional opinion of an unemployment insurance referee that a HIPAA violation had not taken place. She also claimed defamatory statements had been made about her to the Metropolitan Louisville Healthcare Consortium.

Norton submitted a motion to dismiss or, as an alternative, a motion for summary judgement. The Circuit Court granted the motion to throw out the claim for wrongful termination, as it was deemed there was an unnecessary disclosure of PHI as a physician should not need to be reminded to don gloves for a procedure to prevent the contraction of an infectious disease. However, the motion to dismiss the defamation claim was denied.

Norton sought summary judgement on the defamation claim and in October 2015, the defamation claim was dismissed with prejudice. The court determined that speaking the truth about the nurse HIPAA violation being the reason for termination could not have defamed Hereford.

Hereford next took her case to the Kentucky Court of Appeals. The Court of Appeals ruled that Hereford could not rely on HIPAA for a wrongful discharge claim as “HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”

In relation to the wrongful dismissal claim, the court based its decision on the minimum necessary standard, which requires any disclosure of PHI to be limited to the minimum necessary to accomplish the necessary purpose – 45 CFR 164.502 – outlining, “Under “HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning.” The court concluded a nurse HIPAA violation had occurred. The Court of Appeals also found the decision of the lower court to dismiss the defamation claim to be correct as there could be no defamation when the Metropolitan Louisville Healthcare Consortium was informed the truth about the reason for dismissal.

What Are the Potential HIPAA Violation Fines for Nurses?

HIPAA violation fines for nurses who breach HIPAA Rules are tiered, based on the level of negligence. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules.

The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. The penalty amounts are calculated by the Department of Health and Human Services, or by state attorneys general when they decide to issue penalties for HIPAA violations.

What is the Maximum HIPAA Violation Fine for Nurses

The maximum fine for a single HIPAA violation is $50,000 per violation or per record, with a yearly maximum of $1.5 million per violation category.

Serious breaches of HIPAA Rules can warrant criminal charges for HIPAA violations, and along with financial penalties jail time is possible. Criminal violations of HIPAA Rules are managed by the U.S. Department of Justice.

Nurses who intentionally obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and up to 12 months in jail. If an offense is committed under false pretenses, the criminal penalties rise to a fine of up to $100,000 and up to 5 years in jail. If it can be shown that there is intent to sell, transfer, or illegally use PHI for personal gain, commercial advantage, or malicious harm, the maximum fine is a fine up to $250,000 and up to 10 years in jail.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy