A hospital employee, who has been “HIPAA-trained” and admits to knowing better, accesses his ex-wife’s new boyfriend’s medical records and posts sensitive information on social media. Is the hospital liable for the employee’s actions?
First, assume that the hospital did nothing wrong. That requires the assumption that the employee was adequately trained, that the employee’s job required that he have access to this data, and that there was no way to otherwise limit the employee’s access. Continue reading