Wednesday, May 13, 2015

NLRB judge strikes down termination based on HIPAA violation

HIPAA. Five letters that strike fear into the heart of anyone that handles employee medical information. That is, anyone except an NLRB judge passing judgment on whether an employer was justified in firing a union-supporting employee for clear HIPAA violations.

In Rocky Mountain Eye Center [pdf], and NLRB administrative law judge was faced with the issue of whether the NLRA protects an employee of a medical practice, Britta Brown, who accessed co-worker medical information in her employer’s Centricity database for the purpose of gathering contact info for a union-organizing campaign. The judge concluded that the employee’s HIPAA violation did not strip her of the Act’s protection.

I find the Respondent’s comingling of employee and patient data in Centricity, along with its training instructions to employees and its practices, detailed above, preclude any legitimate defense that Brown’s accessing the system to obtain employee phone numbers warranted discipline as a HIPAA violation. While the Respondent's general concerns about HIPAA compliance are unquestionably legitimate, the circumstances here lead me to conclude they were seized upon to stop Brown’s union activity.

In other words, because the employer: 1) permitted the co-mingling of non-protected employee contact information with protected patient medical information, regardless of whether the employee was also a patient, and 2) trained (or, at least, acquiesced in) employees using Centricity to access each others’ contact info for work-related reasons, such as scheduling and social events, the employer could not discipline an employee who used the same tools to access the same information for a union-organizing campaign.

HIPAA isn’t the only law that mandates the confidentiality of medical information.

  • The ADA provides that information obtained by an employer regarding the medical condition or history of an applicant or employee must be collected on separate forms, kept in separate medical files, and be treated as a “confidential medical record.”
  • If an employer has genetic information obtained under one of GINA’s limited exceptions, it must also keep this information separate from personnel files and treat it as a confidential medical record.

If you are a medical practice and your employees are also your patients, HIPAA adds a deep layer of complexity to these confidentiality issues. The judge’s decision in Rocky Mountain Eye Center notwithstanding, take these confidentiality requirements seriously, and train your employees on the proper handling of, and access to, confidential medical information. Otherwise, instead of an unfair labor practice charge, you might be facing a lawsuit from an employee relating to a breach of confidentiality.