Arkansas data breach remains unclear, gender discrimination lawsuit at core

Physician says access was authorized, cites gender discrimination

Some 1,500 patients at the University of Arkansas for Medical Sciences (UAMS) are being notified of a medical data breach involving a resident physician whose employment was terminated in 2010. The incident's validity, however, remains contentious and unclear, as it involves an earlier lawsuit against UAMS, filed by the physician who has cited allegations of gender discrimination.

According to UAMS officials, former resident doctor Nasrin Fatemi, MD, kept some patient lists and notes in violation of UAMS policy after leaving UAMS on June 3, 2010. The documents Fatemi kept were from January 2010 to June 2010 and contained patient names, partial addresses, medical record numbers, dates of birth, locations of care, dates of service, diagnoses, medications, surgical and other procedure names, and lab results. Officials say no social security, bank account, or credit card numbers were included with this information.

The UAMS HIPAA Office became aware of the incident Oct. 9, 2012, when Fatemi produced the documents during her lawsuit against UAMS regarding her termination from a residency program, citing discrimination charges against UAMS. She filed the lawsuit June 2, 2011.

"Documents containing patient information were provided to Dr. Fatemi by UAMS after she was terminated and other documents containing patient information have been produced by UAMS during the litigation," said Nathan Goldberg, the lawyer representing Fatemi, to Healthcare IT News. "[She] did not misuse any documents, and their security has not been compromised in any way. "

However, these documents, UAMS officials argue, were different than those related to the reported breach. "The documents that are issued in this breach are documents that the resident took before she was terminated," said Leslie Taylor, spokesperson for UAMS. "Some of those didn't even pertain to the patients she saw, so they weren't documents that she was using in the course of her duties." As a resident physician, Fatemi had authorized access to patient records. However, Taylor said Fatemi accessed operating room schedules for patients that weren't necessarily hers.

Fatemi was the only female resident in her neurosurgery program, and, according to the lawsuit, she was treated differently from the male residents. Issues of "discrimination, disparate treatment and harassment and questioning" were also cited.

While working for UAMS, Fatemi had filed several complaints to the attending surgeons, the chief resident and others, alleging gender discrimination. Shortly after, John Day, MD, incoming program chair, terminated Fatemi's employment according to court documents. Fatemi was subsequently replaced with a male resident.

On Nov. 7, 2012, UAMS became aware that additional documents the resident kept had been provided to UAMS attorneys June 25, 2012. The records are now protected by a court order, which prevents them from becoming a public record and will prevent anyone from further using or disclosing the documents.

According to Fatemi's affidavit, she denies having made "any unauthorized use or disclosure of any patient protected health information (PHI) at any time during my residency or thereafter."

"UAMS has known that Dr. Fatemi retained documents provided to her during her residency for more than a year," Goldberg added. "And they are now making an issue of it in an effort to bolster their argument that Dr. Fatemi’s retention of these documents after the fact is a basis for their having fired her."

Fatemi also asserts that she did not, in fact, violate UAMS policy, which states: "For Uses of PHI by UAMS health care professional for treatment: UAMS physicians, nurses or other health care professionals may have access to and use the entire medial record of a patient, as needed, for purposes of treatment of that patient. The UAMS physicians, nurses and other health care professionals will use their professional judgment to determine the minimum necessary PHI needed for the purposes of treatment, and will not be precluded from having access to the entire medical record or any other Protected Health Information determined by the health care professional to be needed for this purpose."

Previous
1