The recent launch of GDPR in the EU (spawning lawsuits against Google and Facebook for $8.8 Billion), and the endless string of data breaches (from Target and Home Depot to Equifax and Under Armor) has data privacy on everyone’s mind. A recently-decided case in Pennsylvania, Terrell v. Main Line Health, Inc. , E.D. Pa., No. 17-3102, should give businesses some degree of relief while at the same time highlighting an area of data privacy that is often overlooked: employee access to personally identifiable information.
Gloria Terrell worked for Main Line Hospital. According to the hospital, Terrell was fired for twice using Main Line Hospitals’ internal records system to access a co-worker’s phone number. Because the Health Information Portability and Accountability Act (HIPAA) covers hospital employee phone numbers as protected health information, Main Line had a strict policy prohibiting its employees from using the internal records system to access information about co-workers. Terrell claimed, however, that she was fired because of her age in violation of the Age Discrimination in Employment Act.
Main Line persuaded the court on a motion for summary judgment that Ms. Terrell was fired for violation of Main Line’s policies. The court ruled that terminating an employee who accesses personal data without authorization (in violation of privacy protection laws, in this case HIPAA, and in violation of company policy), is a legitimate non-discriminatory reason for termination.
Although the decision gives businesses some comfort—i.e., they can discipline employees who violate privacy laws and company policies designed to protect personal information—it also highlights a potentially overlooked area of data privacy that employers may need to address. In many businesses, employees have access to large amounts of personal information—whether the personal information of other employees or the personal information of the company’s clients. Without adequate controls limiting employee access to the information they need to do their jobs, companies may be unknowingly and unnecessarily exposing themselves to the significant liability that could arise if careless or disgruntled employees access and disclose protected information.