Nurse Who Shared Patient Data with New Employer gets 1-Year Suspension

by | Jun 11, 2018

A nurse who shared patient data with her new employer has been suspended for 12 months by the New York State Education Department, while her former employer has been fined $15,000 for the breach of Protected Health Information.

In April 2015, Martha C. Smith-Lightfoot – a nurse practitioner formerly working at University of Rochester Medical Center (URMC), NY – requested data on patients she had treated in order to ensure the continuity of care after she left URMC to take a new position at Greater Rochester Neurology.

Smith-Lightfoot was sent a spreadsheet containing the names, dates, of birth, addresses, and diagnoses of 3,403 patients. However, without the knowledge of URMC or authorization of the patients, Smith-Lightfoot impermissibly disclosed the Protected Health Information to her new employers.

The HIPAA violation was noticed when several patients complained to URMC about being contacted by Greater Rochester Neurology about switching health care providers. When it became apparent what had occurred, URMC contacted Greater Rochester Neurology and the list was given back.

URMC then notified HHS’ Office for Civil Rights and the New York Attorney General of the data breach. HHS’ Office for Civil Rights investigated the impermissible disclosure but found URMC was not at fault and took no further action. The New York Attorney General felt differently and fined URMC $15,000.

No criminal charges were brought against the nurse who shared patient data, but the matter was referred to the New York State Education Department – the licensing authority for healthcare professionals in the State of New York. The Department suspended Smith-Lightfoot’s license for one year and gave her a two-year probation for when she returns to work.

Footnote: Following the data breach, URMC announced it had tightened regulations around access to Protected Health Information and heightened workforce awareness about HIPAA policies. Other healthcare organizations can learn from URMC’s compliance shortcomings inasmuch as it is not uncommon for departing employees to take confidential data with them to a new employer and this possibility should be factored into a risk assessment to determine HIPAA policies and the HIPAA training that needs to provided on the policies.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy