Nurse Practitioner License Suspended Following HIPAA Breach
Prior to leaving her former employer, the nurse obtained a spreadsheet of contact and health information for 3,403 patients she had been treating. She had personally requested the information in order to help ensure continuity of care following her departure. Her employer gave her the list for that purpose and expected the nurse to make notes on each patient so that her replacement or other future treating providers would be up to date on the patient and his or her status. Giving the spreadsheet to the nurse for this purpose, while she was an employee, is a permissible use or disclosure under HIPAA that does not require patient consent.
Once she left her former employer, it would have been a HIPAA breach for the nurse to retain the spreadsheet or the information on it in any form. But, not only did the nurse retain the spreadsheet after her employment status changed, but she affirmatively violated HIPAA when gave the information on the spreadsheet to her new employer. Her new employer then used this information to contact the listed patients about switching providers.
The nurse did not face criminal charges, but the New York State Education Department Office of the Professions investigated the matter. She received a 12-month suspension of her license, a 12-month stayed suspension and an additional 2 years of probation when she returns to practice.
The former employer was fined $15,000 for the HIPAA violation by the New York attorney general. The Department of Health and Human Services’ Office of Civil Rights investigated but closed the case without assessing any financial penalties against the former employer.
It does not appear that the nurse’s new employer faced any financial penalties for the use of patient information improperly obtained.
It should be noted that this matter was investigated and prosecuted by the Office of the Professions, which does not investigate or prosecute professional misconduct for physicians, physician assistants or specialist assistants.
While individual practitioners are not often disciplined or sanctioned for professional misconduct after HIPAA violations, the situation which precipitated this nurse’s suspension is very common.
1. Individual providers should carefully reconsider any temptation to take patient information to a new employer. Not only does this subject your former employer to HIPAA investigation and possible sanctions, but it can form the basis for professional misconduct sanctions which will follow a provider for the remainder of his or her career.
2. Employers should be exceptionally mindful of the information disclosed to employees who have provided notice of their departure. Regardless of what the employee does with it once he or she leaves the practice, it is a HIPAA breach for a non-employee to possess the information, even if it was obtained lawfully in the first instance.
3. Health care providers who bring on new employees should also be mindful of using any patient information brought by the new employee. Unless the new employee has a valid patient authorization, it is an improper for the employee to disclose that information to a new employer. It is likely also a HIPAA violation for the new employer to use that information and contact the patients soliciting their business. In any event, accepting the information from the new employee could jeopardize the new employee’s ability to work at your facility or practice if he or she is sanctioned.