New Case Raises Questions on Exiting Providers' Ability to Take Patient Lists
Healthcare Alert | 2 min read
Jan 4, 2016
Last month, the New York State Attorney General's office announced a settlement with the University of Rochester Medical Center ("URMC") over what it deemed to be a HIPAA violation. It announced that a URMC nurse practitioner gave a list containing 3,403 patient names, addresses and diagnoses to her future employer, Greater Rochester Neurology ("GRN") without first obtaining authorization from the patients. GRN then used the information to mail letters to the listed patients, informing them that the nurse practitioner would be joining GRN, and providing instructions on how to switch their care to GRN.
Upon receiving calls from patients who had received the letter, URMC terminated the nurse practitioner, sent breach notification letters to the patients, and alerted the media. The New York Attorney General then initiated an investigation and determined that a breach had occurred. It reached a settlement with URMC, requiring it to train its workforce on policies and procedures related to protected patient health information, notify the Attorney General of future breaches, and pay a $15,000 penalty.
This case raises questions over the ability of individual clinicians to take patient lists or records with them upon changing employers. This ability can be the subject of debate and even litigation, since departing physicians and other clinicians often take the position that they should be able to contact their patients when moving to a new employer.
The New York Attorney General's interpretation of HIPAA does not set binding precedent in other states, though it may be referenced as persuasive authority by enforcement agencies or in disputes between health care providers. However, now that the New York Attorney General has weighed in on the controversy, covered entities should be particularly aware of the possibility that transferring patient lists or records between employers could be found to be a breach of patient privacy rights under HIPAA, and could lead to fines and other penalties.
Covered entities would therefore be well advised to seek legal counsel familiar with HIPAA when the subject of transferring patient lists arises, as well as when drafting or negotiating employment agreements that may speak to the ability of employees to retain patient lists or records.
If you have any questions on this topic, please contact your regular Hinshaw attorney.
Related Capabilities
Featured Insights

Lawyers' Lawyer Newsletter
Jun 29, 2026
Beyond Malpractice: The Rising Threat of Privacy and Statutory Claims Against Lawyers

In The News
Jun 26, 2026
Brian McGrath Discusses Far-Reaching Impact of a NY Foreclosure Ruling on Mortgage Industry

In The News
Jun 26, 2026
Jason Oliveri Discusses AI Companions in Elder Care and the Risks for LGBTQ+ Residents

Event
June 25-26, 2026
Todd Young Speaks on Importance of Financial Literacy to ESOP Culture

Press Release
Jun 25, 2026
Scott Seaman Appointed to DRI Center for Law and Public Policy’s Social Inflation Task Force

Press Release
Jun 22, 2026
Hinshaw Named a Client Service Standout Firm in BTI Consulting Client Service A-Team 2026

In The News
Jun 22, 2026
Lucy Wang Discusses California Insurance Solvency Regulation Addressing Climate Risks




