Physician Practice

Former medical center nurse shares patients' PHI with new practice employer

Physician Practice Insider, June 16, 2015

If you’re leaving your job for a position at another medical practice, you can just take your patients’ files with you for future use, right? Wrong. It’s a breach of privacy under HIPAA.
A nurse practitioner did just that, however, when she left her job at the University of Rochester Medical Center (URMC) in Rochester, New York, for a position at a local outside practice, Greater Rochester Neurology.
The employee took a list with her containing information on thousands of her patients and then shared that list with her new employer, all without getting permission from the patients, according to a press release issued May 26 by URMC.
Once the university became aware of the situation April 24, school officials notified 3,403 patients of its neurology department about the situation. The list contained names, addresses, birthdates, gender, diagnoses, internal patient numbers, and the last time patients were seen by URMC healthcare providers.
The university’s letter to patients assured them, however, the list did not contain Social Security numbers or insurance and treatment information. The former employee was not named.
“She had requested the list to help ensure continuity of care for the patients she was leaving, and she was provided the list for that purpose,” wrote neurology department chairman Robert Holloway, MD, MPH, in the letter. “She did not have permission from URMC to share the list outside the institution, nor did she have authorization from the patients whose information was on the list.”
Holloway explained URMC investigated the situation and learned the neurology practice used the list to send letters to those patients, informing them the nurse practitioner was joining the practice and they had the option of being treated there instead. That constituted a HIPAA privacy violation.
The outside practice assured URMC that it didn’t disclose any information to third parties nor use the list for anything other than sending letters to some of the nurse’s former patients, Holloway noted. No copies of the list were made, he said, and the original document was returned to the university.
One other step URMC took was ensuring clinical staff were aware of the incident and clarifying their responsibilities regarding PHI, Holloway said.


This article originally appeared on HCPro’s HIPAA Update blog.

Most Popular