HIPAA Violation Was a Pretext
A hospital employee’s violation of patient privacy as protected by HIPAA is a serious matter. An intentional violation can and should lead to discipline up to and including discharge. But a case that was decided by the NLRB is an object lesson for health care employers on what is and what is not a violation of HIPAA – especially when union organizing is occurring.
Access to Patient Records in Grievance Procedure
A hospital that was targeted by a union’s organizing campaign was embroiled in controversy. The union filed several unfair labor practice charges that were found to be meritorious. In addition to those charges, which focused on changes in working conditions and various threats made by management, the discharge of a known union activist for a HIPAA violation is of particular interest. In this case, the pro-union employee was going to be given a warning for failing to check a patient’s vital signs prior to the patient’s discharge from the hospital. In an effort to defend himself, the employee accessed and printed the patient’s electronic medical record for use in the hospital’s internal grievance procedure. The hospital ended up discharging the employee for what it called a HIPAA violation.
Hospital’s Reasons Weren’t Believable
The problem was that the hospital was wildly inconsistent in how it justified its action. First, the hospital actually acknowledged that HIPAA allows the use of protected patient health information for the resolution of internal grievances. Second, the evidence showed that the hospital had granted the employee permission to view, copy and use the patient’s file in the grievance procedure, and there was no evidence that the employee exceeded the scope of the authorization. Third, the hospital changed its tune after first telling the employee that he would not be fired but then abruptly fired him. Fourth, the hospital didn’t discipline the doctor and the department manager who also accessed the same records for use in the same grievance proceeding. Finally, the hospital’s argument that it had an “honest belief” that a HIPAA violation had occurred simply was not credible according to the NLRB, given all the surrounding facts. The NLRB correctly concluded that the hospital seized upon the alleged HIPAA violation as a thinly-veiled attempt to rid itself of a known and vocal union organizer. The NLRB held that relying on the HIPAA “violation” was a pretext to disguise the hospital’s unlawful anti-union motive.
Lessons for Employers
There are several lessons to be taken from the hospital’s actions in this case:
- Protected health information can be used in connection with “internal grievance proceedings”;
- Inconsistent application of the rules supports a conclusion that the stated reason for the adverse action was a “pretext” to hide an unlawful motive;
- Shifting explanations for the proposed discipline is evidence of “pretext”;
- Employees of private employers have the right to engage in protected concerted activity for the purposes of union organizing;
- Private employers may not interfere with that right;
- Private employers may not discriminate against employees for engaging in conduct in support of union organizing;
- Employers need to have a legitimate non-discriminatory reason for taking any action and be able to prove it in order to defend charges of unfair labor practices; and
- When dealing with any known union activist or member of a protected class, make sure the real reason is consistently articulated, that it is supported by evidence, that it is consistent with past practice and that all the actions and explanations are believable.
If you have any questions, please contact Steve Lyman at slyman@wp.hallrender.com or your regular Hall Render attorney.
