Termination of Nurse for HIPAA Violation Upheld by the Court

HIPAA Waiver

A Norton Audubon Hospital patient alleged that a nurse, Dianna Hereford, committed a HIPAA violation and the case ended in the termination of the registered nurse’s employment contract. The nurse filed an action against her employer in the Jefferson Circuit Court for wrongfully terminating her contract because of a HIPAA violation that she allegedly committed, when she claims to have having strictly followed HIPAA regulations.

The reason for the nurse’s dismissal was an alleged impermissible PHI disclosure. Hereford was assigned to Norton Audubon Hospital’s Post Anesthesia Care Unit. She was the assisting nurse in a transesophageal echocardiogram. Prior to the procedure, the patient was sent to an examination space enclosed by a curtain. Hereford, a doctor, and an echocardiogram technician, were with the patient.

Alleged Improper Disclosure of Sensitive Medical Information

Prior to the procedure, Hereford took a ‘Time-Out’ to make sure the patient fully understood what would happen during the procedure. She also checked if the site for procedure was clearly marked and ensured they had the required diagnostic tools. Hereford said to the doctor and technician that they need to wear gloves since the patient had hepatitis C.

When the procedure was over, the patient submitted a complaint against Hereford alleging she spoke loud enough to allow other patients and medical personnel in the area to hear that she had hepatitis C. During the investigation of the complaint, Hereford was put on administrative leave, and then terminated for the HIPAA violation, specifically for the unnecessary disclosure of sensitive health data.

In Hereford’s action for unfair dismissal, she claimed that it was only an ‘incidental disclosure’, which does not constitute a HIPAA Rules violation. Hereford additionally acquired the professional viewpoint of an unemployment insurance referee, who stated that no HIPAA violation happened. She furthermore claimed that defamatory statements about her were made to the Metropolitan Louisville Healthcare Consortium.

Norton Audubon Hospital submitted a motion to dismiss the claim for wrongful termination or a motion for summary judgement, as a substitute. The Circuit Court approved the motion to dismiss, since the judge deemed there was an unnecessary PHI disclosure. It was not necessary to remind the physician to wear gloves to avoid contracting an infectious disease during a procedure as this is standard procedure. Nonetheless, the court denied the motion to dismiss the defamation claim.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The hospital sought summary judgement regarding the defamation claim, which was dismissed with prejudice in October 2015. The court rules that speaking the truth regarding the HIPAA violation as being the basis for termination couldn’t have defamed Hereford.

Court of Appeals Concurs with Nurse HIPAA Violation

Hereford took her case to the Kentucky Court of Appeals. The Court of Appeals found out that there’s no way for Hereford to count on HIPAA in a wrongful termination claim since the confidentiality provisions of HIPAA are there to protect patients and not healthcare employees.

Regarding the wrongful dismissal claim, the decision of the court was based on the minimum required standard, which limits any disclosure of PHI to the minimum required to achieve a specific objective – 45 CFR 164.502. The court concluded that there had been a HIPAA violation. The Court of Appeals likewise agreed with the lower court’s decision to dismiss the defamation claim since there can’t be defamation when only the truth concerning the reason for dismissal was given to the Metropolitan Louisville Healthcare Consortium.

Minimum and Maximum HIPAA Violation Penalties for Nurses

Penalties for nurses who violate HIPAA Rules are tiered based on the degree of negligence. The four tiers of HIPAA violation penalties for nurses range from unknowing violations to intentional neglect of HIPAA Rules. The following lists the minimum fines per violation for each tier:

  • $100 for tier 1
  • $1,000 for tier 2
  • $10,000 for tier 3
  • $50,000 for tier 4.

The Department of Health and Human Services, or the state attorneys general, determine the penalty amounts when they make a decision to issue HIPAA violations penalties. The maximum fine for one HIPAA violation is $50,000 per violation with a yearly maximum of $1.5 million per violation category. Severe violations of HIPAA Rules can lead to criminal charges for HIPAA violations, and possibly jail time.

HIPAA Rules are Dealt with by the U.S. Department of Justice

Nurses who intentionally acquire or disclose individually identifiable protected health information can be fined up to $50,000 and given up to one year imprisonment. If an offense occurs under false pretenses, the criminal penalties go up to $100,000 and up to 5 years in prison. If there’s an intention to sell, transmit, or illegally utilize PHI for personal profit, marketing advantage, or malicious harm, the highest penalty is up to a $250,000 fine and 10 years in jail. If there was identity theft, the Identity Theft Penalty Enhancement Act demands a compulsory minimum of two-year imprisonment.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/