In June 2019, Amy Pertuit was awarded $300,000 after a jury determined that Medical Center Enterprise failed to take action against an employee who provided illegal access to medical records.

Amy Pertuit is married to Leif Pertuit, who was involved in a visitation issue with his ex-wife, Deanna Mortenson.  In January 2015, Mortenson contacted Dr. Lyn Diefenderfer and asked her to access Amy Pertuit’s information through a website called the Alabama Prescription Drug Monitoring Program.

Diefenderfer was never Pertuit’s doctor, nor had she ever been a patient of Medical Center Enterprise.  This means that Diefenderfer had no business need to know anything about Pertuit or the drugs she may be taking.  This is a huge HIPAA compliance violation.

Pertuit ended up filing a formal complaint with the Department of Health and Human Services (HHS).  HHS put Medical Center Enterprise on notice, but the hospital didn’t do anything.  This meant she could easily continue accessing people’s information with out a business need to do so.  This is even more of a HIPAA compliance issue.

Medical Center Enterprise’s own privacy officer stated that they found 22 separate HIPAA violations or violations of their privacy policy against Dr. Diefenderfer.  Their privacy officer also said that Dr. Diefenderfer disclosed information to Mortenson, the ex-wife, in 2016.  This was after Medical Center Enterprise knew of the issue and never took action.

It’s no surprise that with all this evidence, the jury decided that Pertuit should be awarded $5,000 for pain and suffering, and $295,000 was punitive for Medical Center Enterprise for not doing anything when the issue was brought to them.

This is a perfect example of what not to do when it comes to HIPAA compliance. Employees should never view or disclose information on a patient unless they have a business need to do so.  If an employee does violate this requirement and it is brought to an organization’s attention, immediate action should be taken.  A sanction policy can help determine the severity of the punishment for the employee, up to and including termination.

Join HIPAAgps today to use our policy templates and training to ensure your employees understand the HIPAA compliance requirements.