Mitigate Damage If Rogue Employee Shares Patient Info with Competitor

May 12, 2014 – In The News
Medical Practice Compliance Alert

Michael J. Kline and Elizabeth G. Litten were quoted in the Medical Practice Compliance Alert article, "Mitigate Damage If Rogue Employee Shares Patient Info with Competitor." Full text can be found in the May 12, 2014, issue, but a synopsis is noted below.

An employee of a urology practice who stole names and addresses of 1,144 patients and provided the information to a competitor to help solicit business may have left both medical groups vulnerable to legal action.

The medical practice conducted an investigation of the breach when it began receiving calls from concerned patients. The practice fired the employee, retrained staff about patient privacy and secured an agreement with the competitor to destroy the patient information.

“You can’t insure yourself against a rogue employee. The practice was a victim too,” said Michael Kline.

“It seems like they made a good faith effort (to comply with HIPAA),” said Elizabeth Litten.

The medical practice must now deal with the aftermath of a breach, including notifying patients and HHS. The practice has suggested that patients monitor their financial statements, rather than go the extra mile and provide credit monitoring to those affected.

“It would have cost about $12 a patient. It would have benefited both practices from a public relations standpoint,” said Kline.

The competing practice could be even more vulnerable to liability. “This involves deceptive and fraudulent practices and invasion of privacy,” Kline noted.

“This is so outrageous. It’s amazing the competitor did this,” Kline said.

If a competing practice were to obtain and inappropriately use your patients’ information, Kline suggests having the competitor indemnify you for the damages, such as the cost of notifying patients.