New Case Raises Questions on Exiting Providers' Ability to Take Patient Lists
Health Law Alert
Last month, the New York State Attorney General's office announced a settlement with the University of Rochester Medical Center ("URMC") over what it deemed to be a HIPAA violation. It announced that a URMC nurse practitioner gave a list containing 3,403 patient names, addresses and diagnoses to her future employer, Greater Rochester Neurology ("GRN") without first obtaining authorization from the patients. GRN then used the information to mail letters to the listed patients, informing them that the nurse practitioner would be joining GRN, and providing instructions on how to switch their care to GRN.
Upon receiving calls from patients who had received the letter, URMC terminated the nurse practitioner, sent breach notification letters to the patients, and alerted the media. The New York Attorney General then initiated an investigation and determined that a breach had occurred. It reached a settlement with URMC, requiring it to train its workforce on policies and procedures related to protected patient health information, notify the Attorney General of future breaches, and pay a $15,000 penalty.
This case raises questions over the ability of individual clinicians to take patient lists or records with them upon changing employers. This ability can be the subject of debate and even litigation, since departing physicians and other clinicians often take the position that they should be able to contact their patients when moving to a new employer.
The New York Attorney General's interpretation of HIPAA does not set binding precedent in other states, though it may be referenced as persuasive authority by enforcement agencies or in disputes between health care providers. However, now that the New York Attorney General has weighed in on the controversy, covered entities should be particularly aware of the possibility that transferring patient lists or records between employers could be found to be a breach of patient privacy rights under HIPAA, and could lead to fines and other penalties.
Covered entities would therefore be well advised to seek legal counsel familiar with HIPAA when the subject of transferring patient lists arises, as well as when drafting or negotiating employment agreements that may speak to the ability of employees to retain patient lists or records.