The University of Rochester Medical Center (“URMC”) recently agreed to pay a $15,000 penalty for providing patient names, addresses, and diagnoses to a departing nurse practitioner (“NP”) without first obtaining authorization from those patients. The penalty was the result of a settlement with New York Attorney General Eric Schneiderman.

The settlement arose from events in the spring of 2015. In March 2015, the NP was preparing to leave URMC for a position at Greater Rochester Neurology (“GRN”). Before leaving, she  asked for a list of patients she treated while employed at URMC, and URMC provided her with a spreadsheet containing the protected health information (“PHI”) of 3,403 patients. Although the Health Information Portability and Accountability Act of 1996 (“HIPAA”) prohibits the unauthorized disclosure of PHI, the NP disclosed the PHI to her new employer, GRN, without the patients’ authorization. In April 2015, GRN sent letters to the patients whose names were on the spreadsheet announcing that the NP had joined the practice and advising them of how to switch to GRN. URMC began receiving calls from patients who were upset that their confidential medical information had been disclosed without their permission.

URMC responded by sending breach notification letters to the affected patients and notifying the media. The NP was interviewed, suspended, and subsequently terminated. URMC also obtained an attestation from GRN that all PHI transmitted by URMC had been returned or deleted. URMC’s Privacy and Security Executive Committee formed a task force to review the hospital’s privacy and security requirements and the protocol for disclosure of PHI with respect to departing and incoming workforce members. On June 11, 2015, URMC reminded its workforce that all patient information was the property of URMC and could not be copied, shared, removed, or transferred without the permission of both URMC and the patient. It also informed URMC’s workforce of its policy that information regarding continuity of care was to be communicated to patients by URMC, not the individual health care providers.

Pursuant to the Health Information Technology for Economic and Clinical Health Act, state attorneys general are empowered to enforce HIPAA regulations through civil actions against violators. In addition to paying a $15,000 penalty, URMC agreed to train its workforce on policies and procedures related to PHI and notify the Attorney General of future breaches.

This settlement addresses several questions that often arise when a physician (or other health care professional) departs a hospital or medical group (“health care entity”).

What is the health care entity’s responsibility when a physician departs? The health care entity has the dual role of safeguarding the medical record while facilitating continuity of care. It must protect the patient’s medical record and not release it without patient authorization.

Should patients be notified of the physician’s departure? The answer is yes. The American Medical Association’s Ethical Opinion E-7.03 provides that “[t]he patients of a physician who leaves a group practice should be notified that the physician is leaving the group.”

Who should provide the notice? The health care entity, which is the party responsible for maintaining custody of the medical record, should send the notice. It may, if it chooses, permit the physician to have input as to the text of the notice. It may also resolve the issue in advance by including a provision in the physician’s written employment or other affiliation agreement that specifies the details of the notice that the health care entity will send in the event of the physician’s departure.

Is a list of patient names without information about the patient’s medical condition considered PHI? HIPAA protects information that relates to the past, present, or future physical or mental health or condition of an individual when there is a reasonable basis to believe the information can identify the individual. A physician’s list of patient names by itself is not PHI, but if the physician’s practice only serves patients with a certain health condition, then it may be reasonable to assume that every patient on the list must have the condition. In that circumstance, the list of names may be PHI.

What should be in the notice? The content of the notice will depend upon state law. For example, the Ohio Medical Board has adopted specific rules about the content of the notice, which must include the following (Rule 4731-27-03):

  • Notice to the patient that the physician will no longer be practicing medicine at the health care entity
  • The date the physician ceased or will cease to provide medicine services at the health care entity
  • If the physician will be practicing medicine in another location, contact information for the physician subsequent to leaving the health care entity
  • Contact information for an alternative physician or physicians employed by the health care entity or contact information for a group practice that can provide care for the patient
  • Contact information that enables the patient to obtain information on the patient's medical records.

The Ohio rules require the health care entity to send the notice to patients, but it may satisfy its statutory obligation by providing patient contact information to the departing physician and requiring the physician to send the notice to patients.

The California Medical Board ("CMA") advises that patients should be notified of changes in the medical practice and recommends "that due care should be exercised when closing or departing from a medical practice." California health care entities should review CMA guidance before sending the notice.

What should a hospital or medical group do now?

 Health care entities must be prepared for the departure of physicians and other health care professionals. According to Schneiderman, “Other medical centers, hospitals, health care providers, and health care entities should view this settlement as a warning, and take the time now to review and amend, as needed, their own policies and procedures to better protect private patient information.”