Benefits and Compensation, HR Management & Compliance

Court: HIPAA Violations are Grounds for Termination

The Kentucky Court of Appeals recently upheld the termination of a nurse who unintentionally disclosed a patient’s confidential health information while she was conducting a procedure.HIPAA


“Michelle,” a registered nurse, was employed by Norton Audubon Hospital. On May 7, 2013, Michelle and a technician were assisting a physician who was performing an echocardiogram. The patient, who had been diagnosed with hepatitis C, was situated in an examination area behind a privacy curtain. Other patients and medical personnel were nearby.

Before the procedure, Michelle warned the physician and the technician to wear gloves because the patient had been diagnosed with hepatitis C. The patient later filed a complaint with the hospital alleging that Michelle disclosed confidential patient health information when she made the comments.

According to the patient, Michelle’s voice was loud enough to be heard by other patients and medical personnel in the area. Michelle was terminated on May 9, 2013, after an investigation concluded that she violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

On October 30, 2013, Michelle filed a lawsuit in Jefferson Circuit Court alleging that Norton wrongfully terminated her employment. She also claimed that she was defamed when Norton investigated the incident and made defamatory statements about her to members of the Louisville Healthcare Consortium, a group of hospital leaders who work to identify employment strategies. The circuit court dismissed her claims, and Michelle appealed to the Kentucky Court of Appeals.

Court’s Ruling

On appeal, Michelle argued that she was wrongfully terminated in violation of public policy. She claimed that rather than violating HIPAA, she strictly complied with its requirements, and at most, she engaged in “incidental disclosure,” which is not illegal under HIPAA.

Finding Michelle’s argument unpersuasive, the court of appeals noted that Kentucky follows the employment-at-will doctrine, under which an employer may discharge an at-will employee for “good cause, for no cause, or for a cause that some might view as morally indefensible.”

A narrow exception to the rule exists when the discharge is contrary to fundamental and well-defined public policy as evinced by existing constitutional or statutory law. In other words, an employee cannot be terminated because she refused to violate the law or exercised a statutorily conferred right.

The court found no evidence that Norton had asked Michelle to violate the law. Nor had she exercised some statutory right. Rather, she was terminated because she violated HIPAA. Even if the hospital had been objectively wrong that Michelle violated HIPAA, she couldn’t rely on the healthcare privacy law as the basis for a wrongful discharge claim.

To state a public-policy claim, an employee must identify a statute that provides protection for her employment. HIPAA’s confidentiality provision exists to protect patients, not healthcare workers. Because Michelle couldn’t identify a public policy that Norton violated, her wrongful discharge claim was dismissed.

Michelle also claimed that Norton published defamatory statements about her in her work record and to the healthcare consortium. The court explained that defamation requires proof that the statements were false, and truth is an absolute defense to a defamation claim.

To prove the statements about her employment were false, Michelle cited an unemployment referee’s finding that she did not violate HIPAA. She also presented an affidavit from another Norton employee who was nearby during the incident with the patient but didn’t hear her mention hepatitis C.

Dismissing Michelle’s defamation claim, the court explained that it wasn’t bound by the unemployment referee’s finding. Rather, the evidence in the record demonstrated that the allegedly defamatory statements were in fact true.

HIPAA requires healthcare providers to use the minimum amount of protected information to accomplish their purpose, and Michelle’s statement about the patient’s hepatitis C wasn’t the minimum amount of necessary information. A physician doesn’t need to know that a patient has an infectious disease in order to wear protective gloves. Because the record supported a finding that Michelle violated HIPAA, the statements about her employment were not defamatory. Hereford v. Norton Healthcare Inc., 2015-CA-001958-MR, 2017 WL 3129194 (Ky. App., July 21, 2017).

Bottom Line

It isn’t illegal to terminate employees for violating HIPAA—even if the violation is inadvertent or unintentional. Healthcare employers should remind employees about their HIPAA obligations and ensure that workers receive regular training on the proper handling of protected patient health information. Moreover, the failure to implement a uniform HIPAA policy could expose healthcare employers to liability.

Jennifer Bame, contributor to Kentucky Employment Law Letter, can be reached at

Leave a Reply

Your email address will not be published. Required fields are marked *