email menu on monitor screenRecently, in Dantry v. Unemployment Compensation Board of Review, No. 1665 C.D. 2017 (Pa. Cmwlth. 2019), the Commonwealth Court of Pennsylvania reversed the order of the Unemployment Compensation Board of Review (Board) which  had affirmed the Unemployment Compensation Referee’s decision that Jami M. Dantry (Dantry) was ineligible for unemployment compensation benefits because Dantry’ s conduct rose to the level of willful misconduct based on a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Family Educational Rights and Privacy Act  (FERPA), and for insubordination.  The Commonwealth Court of Pennsylvania remanded the matter to the Board for the issuance of a decision determining whether Dantry’s alleged insubordination constituted willful misconduct.

The Hope Learning Center (Hope) employed Dantry as an occupational therapist from September 2016 until March 22, 2017.  Hope terminated Dantry for forwarding an email containing individually identifiable health information about one of Dantry’s students from her work email account to her unsecured personal email account. Hope previously counseled and disciplined Dantry for insubordination, and Dantry was terminated for violating Hope’s HIPAA and FERPA policies and for insubordination. The emails at issue identified an elementary student by name and gender, the school district and classroom, and the child’s medical diagnosis and evaluation of therapies and treatment rendered. Hope testified that it had a policy located in the employee handbook that prohibits employees from violating HIPAA and FERPA, that Dantry signed a confidentiality statement also contained in the employee handbook, and signed a statement that she received HIPAA and FERPA training and education.

Dantry testified that she believed that Hope was fraudulently billing for her services and raised her concerns to Hope, which Hope dismissed.  Dantry testified that she was concerned about losing her occupational therapist license for overbilling, and believed she had good cause to send the email to her personal email account to protect herself in case of an audit by her employer or licensing board. Additionally, although Dantry acknowledged that she signed the confidentiality statement, Dantry alleged that she did not receive HIPAA and FERPA training.

The Commonwealth Court of Pennsylvania stated that although Hope’s termination of Dantry was based in part that Dantry’s conduct violated HIPAA and FERPA, Hope did not provide any evidence of the contents of its HIPAA and FERPA policies, other than testimony that the policies prohibit employees from violating these laws. The Commonwealth Court of Pennsylvania noted that an employer seeking to prove willful misconduct by showing that the claimant violated the employer’s rule or policy must prove the existence of such rule or policy and that the claimant violated it.  The Commonwealth Court of Pennsylvania concluded that Hope did not meet its burden to show that Dantry’s alleged insubordination constituted willful conduct because Hope did not provide evidence of the existence of the HIPAA and FERPA policies that Dantry had allegedly violated.

HIPAA requires covered entities to maintain HIPAA policies and procedures that address the requirements of the Security and Privacy Rules and train its workforce as necessary and appropriate for the workforce to carry out their functions within the covered entity. 45 C.F.R. §164.308(a)(5), §164.316, §164.530(b), and §164.530(i). A covered entity’s failure to maintain such policies and procedures and train its workforce may result in a breach of the security or confidentiality of PHI.  Health & Human Services Office for Civil Rights (OCR) investigates all breaches involving 500 or more individuals and routinely requests the covered entity to produce its HIPAA policies and evidence of training and education of its workforce.  OCR may take enforcement action against a covered entity for having inadequate HIPAA policies and lack of adequate training of its workforce, including the assessment of penalties and requiring specific corrective action to comply with HIPAA.  FERPA requires educational institutions to maintain the confidentiality of student records and may only disclose such records without student or parent consent in accordance with the exceptions set forth in the regulation. See,34 C.F.R. Part 99, Subpart D.

Although retaliation and whistleblower protections were not raised by Dantry, the HIPAA Privacy Rule protects the individual from retaliation for “exercising this right, and a covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise or for participation in any process by the individual.” 45 CFR §164.530(g).  Additionally, the HIPAA Privacy Rule states that the disclosure of PHI is a permissible disclosure provided that “the workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public.” 45 CFR §164.502(j)(1). The disclosure also must be made to a “health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity, to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards, or misconduct by the covered entity or to an attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct.”  Id. at §164.502(j)(ii)(A)-(B). When disciplining an employee for a HIPAA violation involving the unauthorized disclosure of PHI, a covered entity must be aware of these workforce protections and adequately address the noncompliance with the applicable policies without taking retaliatory action against a potential whistleblower.  Having clearly defined HIPAA policies, including the workforce sanction policy for noncompliance with the HIPAA policies and adequate documentation of any sanctions taken, will help protect a covered entity from retaliation claims when dealing with employee discipline.

Although this case is limited to Pennsylvania, it illustrates the need for a covered entity to have clearly defined HIPAA and FERPA policies so that employees understand what is expected of them.  An employee handbook that merely provides a statement that violating HIPAA or FERPA laws will result in disciplinary action does not provide employees with sufficient information as to the expected conduct to protect the privacy and confidentiality of . It is a stinging realization that a covered entity must accept that an employee terminated for violating a HIPAA policy would be eligible to receive unemployment compensation and worse for a covered entity to face OCR or the Department of Education enforcement action because of the lack of or inadequate policies and procedures.