An administrative law judge (ALJ) of the National Labor Relations Board has concluded that a health care employer’s use of its medical records software to store employee contact information allowed an employee to access that software for the purpose of sharing personal information about other employees with an outside union organizer. Rocky Mountain Eye Center, P.C., Case #’s 19-CA-134567, 19-CA-137315 (Laws, ALJ) (May 6, 2015).
The case arose out of the Rocky Mountain Eye Center’s discharge of an employee who had accessed and distributed the names and personal phone numbers, including mobile phone numbers of 17 employees. The Employer had maintained that information in the same software system that it used to store information about patients.
The ALJ found that employees and supervisors accessed the system to obtain employee contact information for both work-related reasons (last-minute schedule changes) and personal reasons (after-work gatherings). The ALJ also found that that the employer had trained employees to input their data into that system, even if they were not also a patient, so that if anyone needed to contact them, they could look it up there.
The Employer argued that the employee’s actions violated HIPAA. It even self- reported the alleged violations to the Department of Health and Human Services, Office of Civil Rights. The Board’s General Counsel argued that “permitting use of a patient records system to store non-medical information about employees, whether patients or not, would permit HIPAA-covered employers to thwart the [National Labor Relations] Act in the guise of HIPAA compliance.” The ALJ agreed with the General Counsel and concluded that the Employer’s “comingling of employee and patient data in [the patient records system], along with its training instructions to employees and its practices [. . . ] preclude an legitimate defense that . . . accessing the system to obtain employee phone numbers warranted discipline as a HIPAA violation.”
This case not only highlights the General Counsel of Board’s heightened attention to overly broad confidentiality policies, but also indicates the Board’s unwillingness to yield blindly to confidentiality requirements found in other federal laws, e.g. HIPAA. In light of this decision, health care employer’s should review how they use their electronic records systems, as well as their confidentiality policies surrounding those systems.