An Unforgiving NLRB Holds That Protecting Patient Data Under HIPAA Can Still Violate Section 7 Rights

It would make sense that the systems housing patient records at a physician’s office should be protected by a robust duty on the part of the physician’s employees to keep such records confidential. The purpose, of course, is to ensure the physician’s responsibilities under the Health Information Portability and Accountability Act (“HIPAA”) are properly carried out. Further, in a time where hacking, and the resulting identify theft that often follows, is ubiquitous, any custodian of sensitive records would be prudent to use a belt and suspenders approach to protecting data. This would further bolster the rationale for a strong company policy on confidentiality, right? Well, not quite.files

As we noted in a previous post, the Board has been particularly aggressive in finding employer policies will run afoul of Section 7 of the Act even when they have strong threads of common sense attached to them. In the case we reported on in March – Latino Express, Inc., NLRB Case No. 13-CA-122006 (Mar. 17, 2015) – the Board came down against an employer even when the employer had already rescinded its questionable policy. The Board was very unforgiving in that instance and seems to be continuing that trend.

In Rocky Mountain Eye Center, NLRB Case Nos. 19-CA-134567, 19-CA-137315 (May 6, 2015), two employees of a physician’s office were terminated for disseminating records housed on the office’s information system, a system that included both patient and employee data. To protect this information, the company’s confidentiality rule stated that a “[b]reach of either patient or facility confidentiality is considered gross misconduct and may lead to immediate dismissal” and defined confidential information” as including, but not limited to patient information, physician information, personnel information, billing, purchasing and financial information.” So far, so good, right?

To support a union organizing drive, the two employees at issue had accessed the employer’s information systems to obtain contact information for several other employees, for the purpose of having the Union contact them. When the Union began contacting these employees, the employees questioned how the Union received their contact information, which prompted an investigation into whether a breach of the office’s records occurred. After an investigation, the company determined that the employees breached the confidentiality rule by accessing and disseminating the employee information, housed in the same system as patient data, and were terminated in accordance with the company’s confidentiality rule.

Of course, the NLRB held that the termination was unlawful. After first concluding that the confidentiality rule could reasonably be construed to restrict Section 7 rights, the NLRB reasoned that it was overly broad in that it included a prohibition against utilizing employee contact information which could be used for Union organizing. Further, the employer made the mistake of housing both employee and patient data on the same system, and such a mistake could not be attributed to the employees who were merely exercising their Section 7 rights by collecting employee contact information, not patient information.

Although not as shocking as the decision in Latino Express, the beat is clearly continuing to go on at this activist NLRB. With another unforgiving decision, employers should continue to be vigilant in reviewing their policies and be prepared to defend against similar charges from the Board. Oh, and while you’re at it, it’s a good idea to keep employee information separate from customer, client and patient data.