Nurse supervisor gets legal advice on dealing with thieving nurses

By Attorney Michael J. Sacopulos and Dr. Erik P. Southard DNP, FNP-BC

Q: I am a supervisory
nurse who works at a plastic
surgeon’s office. We
recently had another nurse
take a list of 70 patients
from our office to an interview
with a competing dermatologist.
What should I
A: This is an issue that seems to
come up at least three or four times
a year. Why so many nurses feel the
need to steal patient charts from a
former employer is beyond me. If
the nurses in question did not learn
that thievery was wrong as children,
they certainly would have learned
about the consequences of their actions
in nursing school.
Regardless, as a supervisory nurse,
you cannot assume that employees
and new hires are fully aware of
policies governing the appropriate
handling of protected health information.
To safeguard the practice
against future legal liability supervisory
nurses need to be proactive.
Practice policies and procedures
must be written to include a process
that clearly communicates the office’s
commitment to patient confidentiality.


All employees must be required to participate
in standardized HIPAA training upon

their hire and on an annual basis in perpetuity.
The training should include information about
what constitutes protected health information,
each individual employee’s legal obligation to
protect sensitive information as well as, the
possible criminal, civil, and professional repercussions
for failing to uphold the confidentiality
standards. Completion of the training
should be marked with a form which spells out
the employee’s responsibilities and documents
the employee’s signed, dated and witnessed
promise to uphold the standards.
The practice also needs to look at state and
federal laws to formulate a plan for how to
handle even the smallest unauthorized release
of protected health information. These simple
steps will likely prevent the practice and its
employees from the following potential outcomes:
1) A HIPAA violation has occurred because
medical records have been taken out of
the practice (presumably for distribution
to another physician/practice). This may
trigger breach notification requirements,
which can be costly. The nurse can legally
be held responsible for reimbursing
these expenses.
2) The taking of the charts is conversion
in every state law I am aware of. Conversion
is the unauthorized use or control of
someone else’s property and is a criminal
act. Most states allow for three times the
value of the property, attorney fees, and
related costs necessary for the recovery.
Nurses or other healthcare professionals
found guilty of conversion
can be made to pay through the nose for their

Is it Legal?

3) The event clearly should be reported
to the state nursing board for discipline
to prevent this from happening
to patients in the future. The nurses’
licenses could be in jeopardy for this
behavior. Bear in mind that threatening
to turn the nurses in to gain a persuasive
advantage could be viewed as
4) Next, the dermatologist/new employer
may have liability. The plastic
surgeon has a “contractual relationship”
with these patients. Contacting
these patients in an effort to solicit
them could be viewed as an interference
with established contractual relationships.
Further, the patient information
(names, addresses, conditions,
etc.) in many states could be considered
a trade secret/proprietary to the
plastic surgeon. This means the plastic
surgeon could legally force the return
of the information from either
(or both) the dermatologist or the RN.
This is a long way of saying that the
dermatologist/new employer has potential
liability here.

The next steps for you, as the
supervisory nurse, would be to
suggest to your employer that
1) Send a certified letter (to prove
receipt and establish the seriousness
of the matter) to the nurse or nurses
involved. The letter should require
the a) immediate return of all patient
charts; and b) require an affidavit from
the RN describing whom she has shown
the charts to (hopefully no one). This
will help determine obligations under
2) Send a certified letter to the
dermatologist threatening legal action if
the information/charts are not returned.
Further, the contacting of any patient
would be a HIPAA violation which will
be reported. This will, undoubtedly, get
the dermatologist/new employer to read

the Riot Act to his/her new RN.

the President and CEO of Southard & Associates
L.L.C. He is also the Director of
the Doctor of Nursing Practice Program
and Assistant Professor in the Department
of Advanced Practice Nursing at Indiana
State University and he continues to work as
a family nurse practitioner. He is a graduate
of Vincennes University, Indiana State
University and Johns Hopkins University


Attorney Michael J. Sacopulos is the CEO of Medical Risk Institute
(MRI) a firm formed exclusively to provide proactive counsel to the
healthcare community. He is a member of the Indiana Defense Lawyers
Association as well as several other legal associations and was honored
in 2009 and 2010 as a Best Lawyer in America for Corporate Law.