One of your employees discloses your organization’s patient information to a soon-to-be new employer for use in generating business at the new employer’s competing business, and your company has to settle with the New York State Attorney General for HIPAA violations. Make sense?

This is what happened according to a published settlement agreement (pdf) that was reached between the University of Rochester Medical Center (URMC) and New York Attorney General Eric Schneiderman, whose office announced the settlement on December 2. As part of the settlement, and in addition to agreeing to pay $15,000, URMC submitted to an extensive review of its policies and procedures by the Office of Attorney General (OAG), and agreed to report certain breaches of PHI to the OAG for the next three years, among other things.

In this case, a URMC nurse practitioner, who was planning on leaving URMC to work for another provider, asked URMC for a list of all of the patients she treated while at URMC; URMC provided a list of 3,403 patients to her. Without getting patient authorization, the nurse practitioner provided that list to her new employer. The new employer then sent a mailing to those patients letting them know of the nurse practitioner’s move and that they could choose to be treated at the new company.

Some health care professionals may take the position that the patients are their patients, that they have the treatment relationship with the patients, and therefore there is no HIPAA issue in situations like these. Not so fast. The practice may own the data, not the providers it employs. And, patients may look to the practice, and not the particular provider, as the party responsible for safeguarding their protected health information. This appears to be the case here as URMC learned about the breach when some of its patients called to complain that they had received letters from the other provider.

Electronic medical records and related systems are essential to a functioning healthcare organization and health care providers often have broad access to patient files to do their jobs. So, stopping these types of incidents seems virtually impossible. Minimizing the risk, however, is possible through straight forward policies and training, as well as systems that can limit access to data to the extent appropriate for the business and applicable law. Non-compete and other agreements with workers also may be useful in addressing these and related risks involving patient data when healthcare workers move on.

This development is an important reminder for covered entities and business associates about HIPAA compliance and the practical realities of business that also have data security implications. Covered entities and business associates also should remember that state attorneys general have enforcement authority under HIPAA, and they are using it.