Terrell v. Main Line Health, Inc., 2018 WL 2462005 (E.D. Pa. 2018)
A federal court has dismissed a hospital secretary’s age discrimination claims, rejecting assertions that the stated reason for her termination—violation of her employer’s HIPAA policies—was a mere pretext. The secretary twice accessed a database containing protected health information (PHI) to look up a coworker’s phone number, supposedly to see if the coworker would be coming into work. The secretary did not call the coworker, but the hospital’s automatic monitoring system flagged the first time the secretary accessed the database and sent an email to the secretary’s supervisor. The supervisor noted that the secretary did not need to access the PHI, and an investigation ensued—during which the second instance of accessing PHI was discovered. The hospital then applied its disciplinary policy, which resulted in the secretary’s termination following review and approval by senior administrators. The secretary, who was over 60 and had been employed by the hospital for more than 40 years, filed claims of age discrimination.
The court focused on whether the stated reason for termination was legitimate and nondiscriminatory, and noted that the hospital identified violations of several HIPAA policies. The court rejected the secretary’s contention that the coworker’s telephone number, as demographic information, was not PHI. Moreover, the database she accessed included other information that clearly was PHI: the coworker’s Social Security number, birthdate, patient number, and dates of hospital admissions. The court further concluded that the hospital did not target the secretary for investigation based on her age—the unauthorized access was flagged by the monitoring software. Regarding the severity of the sanction, the court observed that termination was consistent with the hospital’s written policies, which did not require progressive discipline. Looking to consequences for other employees charged with similar conduct, the court noted that more than half the non-terminated employees were in an age-protected class, and one-third of the terminated employees were too young to be age-protected. Consequently, the records did not reflect disparate treatment of age-protected employees sufficient to support an inference that the secretary’s firing for HIPAA violations was a pretext for age discrimination.
EBIA Comment: Employee contact information typically is not PHI, but the secretary implicated HIPAA by obtaining the coworker’s phone number from a medical record. The hospital’s handling of this case was exemplary from a HIPAA perspective. It identified threats to a database containing PHI, established protections for the database, and implemented detection mechanisms to monitor access to PHI. After questionable access was detected, the hospital responded promptly with an investigation. It then applied a well-documented sanctions policy and could show its actions were consistent in similar cases. The hospital’s robust training program, which allowed it to show that the secretary should have known that her conduct was improper, also contributed to the outcome. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXVIII.B (“Training”), XXVIII.E (“Sanctions”), XXX.B.1.c (“Sanctions Policy (Required Implementation Specification)”), and XXX.D.2 (“Technical Safeguards: Audit Controls”). See also EBIA’s Group Health Plan Mandates manual at Section XIX.A (“What Is the ADEA and Who Must Comply?”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded 1/17/18).
Contributing Editors: EBIA Staff.
