- A Kentucky hospital was found to have acted lawfully when it fired a nurse for committing a HIPAA violation, according to the Kentucky Court of Appeals.
The Appeals Court held a lower court’s dismissal of the nurse’s claim that her employment had been terminated in spite of her complying with HIPAA.
“[She] argued that her termination violated public policy because she was fired despite having strictly complied with HIPAA regulations,” the decision explained. “She further maintained that at most she engaged in ‘incidental disclosure’ which is not actionable under HIPAA.”
The nurse, Dianna Hereford, added that the hospital and some employees had defamed her by informing individuals that she had violated HIPAA.
The incident in question occurred on May 7, 2013 when Hereford was working with an echocardiogram technician. The patient had Hepatitis C and waiting in an examination area behind a privacy curtain.
Hereford reportedly told colleagues to wear gloves because of the patient’s disease. The patient then filed a complaint with the hospital saying that confidential health information was improperly disclosed because Hereford was loud enough to have been heard by other patients and medical personnel.
Hereford acknowledged that she was an “at-will” employee at the hospital, but argued that she maintained HIPAA compliance. She added that
The lower court determined that Hereford unnecessarily disclosed the patient’s Hepatitis C status and that “a physician should not require being told that a patient has an infectious disease as a reminder to wear personal protective equipment such as gloves.”
The Appeals Court found that Hereford “cannot rely on HIPAA as a basis for a wrongful discharge claim since HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”
Furthermore, the lower court was correct in its conclusion to dismiss the defamation claims, according to the decision.
“This finding was grounded on the court’s recognition that a medical provider must use the minimum amount of protected health information to accomplish the necessary purpose,” the decision explained. “The court concluded that ‘Under HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning. As a matter of law, the Defendants could not have defamed Hereford by speaking the truth that she was terminated for a HIPAA violation.’”
HHS states on its website that the minimum necessary standard requires covered entities “make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.”
“If a hospital employee is allowed to have routine, unimpeded access to patients’ medical records, where such access is not necessary for the hospital employee to do his job, the hospital is not applying the minimum necessary standard,” HHS explains.
This standard has come under question before, with some industry stakeholders questioning whether adjustments are necessary to better clarify the requirement.
A National Committee on Vital and Health Statistics’ (NCVHS) subcommittee on privacy, confidentiality, and security discussed the HIPAA minimum necessary standard at a hearing in June 2016.
AHIMA President and Board of Director’s Chair Melissa Martin, RHIA, CCS, CHTS-IM testified that future guidance could be aided by a more clear definition of the “minimum necessary.”
Inconsistent definitions can occur when covered entities determine an appropriate definition, Martin said. Additionally, it can “lead to confusion and potential litigation should a patient and/or their legal representative disagree” with the determined definition.
Evolving technology has also affected the minimum necessary requirement, Martin explained. Technological capabilities and potential limitations should be taken into account in creating a clear and objective minimum necessary definition.
“AHIMA has long advocated for the need to improve and enhance the flow of data throughout the healthcare system,” she stated. “However, as the paradigm has shifted to enhancing data sharing and improving data accessibility, the amount of PHI necessary to meet the minimum necessary standard has expanded exponentially, so that the concept is associated with fewer transactions.”