C-Level Law

C-Level Law

Email print

What to do When Misappropriation of Information by an Employee Includes Patient Information

July 17, 2025

By: Colin A. Walker

What to do When Misappropriation of Information by an Employee Includes Patient Information

 

Misappropriation of trade secrets and other confidential and/or proprietary company information has become all too common. Often the employee misappropriates such information in preparation for starting a competing business or accepting a position with a competitor.  If so, the employer may have a number of claims against the employee—and sometimes the competing business—and strong remedies. Claims could include breach of the duty of loyalty, misappropriation of trade secrets, breach of contracts such as non-disclosure agreements, intellectual property agreements, or non-compete agreements, and conversion.  Remedies may include temporary restraining orders and preliminary injunctions, replevin orders, monetary damages, attorneys’ fees, and punitive damages, just to list a few. Some of these remedies involve expedited procedures which could result in hearings and orders within a few weeks or even sooner in extreme cases.

 

However, these cases are expensive, time consuming, and stressful.  Some employers cannot afford litigation of this sort, and others choose not to spend the time and resources to pursue them if they think the employee’s actions are not likely to harm them. Other employers pursue litigation aggressively. When highly confidential third-party information, such as patient information, is involved, however, the employer may have little choice but to pursue litigation aggressively.

 

If the employer obtains healthcare information as part of its business, it will almost certainly be subject to HIPAA. Medical practices and other healthcare providers, known as “covered entities,” will be covered by HIPAA.  But others, who are not healthcare providers, but who provide services to them, may also be covered by HIPAA. These parties are known as “business associates.” 

 

If an employee of a covered entity or a business associate misappropriates information for any reason, including starting a competing business or accepting employment with a competing business, the information could include patient information.  This may well be unintentional or incidental.  The employee may want other information that is useful in a competing business such as business plans, financial information, pricing information, and customer information. This information, though probably protected by the law, is not necessarily covered by HIPAA. However, in the course of misappropriating this information, the employee may also obtain information covered by HIPAA. For example, if the employee copies the employers’ customer contact information, such as phone numbers, email addresses, etc., the files containing this information may also contain patient information such as diagnosis, healthcare procedures, etc.  In that case, by taking the information, the employee may have caused a HIPAA “breach.”  It doesn’t matter if the employee took the patient information unintentionally; it would still be a breach.

 

An employer who is a covered entity or a business associate has a number of important duties in the event of a HIPAA breach.  Following a breach, covered entities must provide notification of the breach to affected individuals, the Secretary of Health and Human Services, and, under some circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs by the business associate.  See: HIPPA for Professionals. The individual notices must be sent by mail or by email if the individuals have agreed to receive such notices by email.  Covered entities are required to provide notices to the media serving the affected state or jurisdiction if 500 or more residents of were affected. Covered entities must also notify the Secretary of Health and Human Services.  The notices must be provided without unreasonable delay and in no case later than 60 days after a breach. If fewer than 500 individuals are affected the covered entity may notify the Secretary annually.

 

However, these notices are only required if there is a “breach.”  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

 

In the case of misappropriation by an employee, these requirements can often be met, if the employee cooperates. If the employee agrees to return the information and to sign an affidavit confirming that the information was returned, copies were not retained, and copies were not transmitted to third parties, the above requirements might be satisfied.  Employees who are represented by competent legal counsel, or who otherwise understand the requirements of HIPAA, might be willing, or even eager, to cooperate.  And, employees who have taken such information may have no motive to disclose it because in most cases, they are trying to do business with patients, not trying to misuse their confidential healthcare information, unlike a person who is trying to use such information to commit identity theft.

 

On a related point, many states have laws with protect personal identifiable information (“PII”), which protects information other than healthcare information, such as social security numbers, phone numbers, email addresses, etc. See, e.g. here

 

If the employee refuses to cooperate, the employer may have little choice but to commence litigation, and to pursue it aggressively until the information is secured.  HIPAA has severe penalties and robust enforcement mechanisms, and the consequences of failing to remedy a breach can be severe. Thus, even where the employer will have difficulty paying for litigation or believes that the risks do not justify the costs of litigation, where HIPAA-protected information is involved, the employer may have to pursue litigation.  Of course, employers who are covered entities or business associates who think an employee may have caused a breach, should immediately confer with competent legal counsel who can advise it on these difficult issues and, if necessary, pursue litigation against an employee who has misappropriated such information.

Related Attorneys

Additional Posts

U.S. Supreme Court Holds that Same Employment Discrimination Standards Apply to Plaintiffs who are Members of a Majority Group

Recap of 2025 Colorado Legislative Session - Employment Law

Governor Polis Vetoes Amendments to Labor Peace Act

Colorado Employment Law: An Eye-Opening Experience

Ballot Initiative Would Eliminate At-Will Employment in Colorado

Implications of President Trump’s Executive Order on DEI for Private-Sector Employers

Salary Thresholds and Minimum Wage for 2025

New Colorado Law Prohibits Age-Related Inquiries on Job Applications

Should Holiday Pay be Included in Overtime Premiums?

Can A Supervisor Be Personally Liable for Discrimination?

Colorado Law Requires Employers to Keep Repository of Discrimination Complaints

Which State’s Law Applies to Employees Working Temporarily Outside of the State of their Residence?

Federal Court Strikes Down FTC Rule Banning Non-Compete Agreements

What Should An Employer Do When An Employee is Impaired At Work?

Court Stays FTC Non-Compete Rule – Only as to the Plaintiffs before the Court

U.S. Supreme Court Decision Leaves Agency Rulemaking Vulnerable to Lawsuits Challenging Agency’s Authority

Lawsuit Challenging FTC Rule Banning Non-Compete Agreements May Delay Implementation of Rule

Colorado Amends Non-Compete Law Regarding Training Repayment Agreement Provisions (TRAPS)

Colorado Governor Vetoes Bill Prohibiting Employers from Requiring Attendance at Meetings Involving Politics or Religion

Colorado Enacts Artificial Intelligence Law

Colorado Governor Vetoes Construction Industry Wage Claim Bill

EEOC Issues Pregnant Workers Fairness Act Regulations

FTC Bans Almost All Employee Noncompete Agreements: But Will the Rule Stick?

U.S. Supreme Court Holds that Job Transfer Can Be Discriminatory, Even if it Does Not Affect Pay or Benefits

Can an Employee Keep Copies of Documents as Evidence of Claims Against an Employer?

CDC Changes COVID Guidance

Does an Employer Have to Allow Employees to Review their Personnel Files?

In with the Old: Department of Labor Reinstates Prior Independent Contractor Classification: Employers Beware!

Colorado’s New Family and Medical Leave Law Goes into Effect

Colorado Department of Labor and Employment Proposes New Rules

Employment Law Implications of SCOTUS Affirmative Action Decision

U.S. Department of Labor Proposes Rule Increasing Salary Threshold for Exempt Workers

Fail to Honor Your Obligations and Lose the Right to Enforce Restrictive Covenants

Service Animals and Emotional Support Animals in the Workplace

New Colorado Law Prohibits Non-Disparagement and Non-Disclosure Agreements which Prohibit Disclosure of Unfair Employment Practices

Supreme Court Changes Standard for Religious Accommodation

Supreme Court Strikes Down College Admissions Programs which Give Preference Based on Race

The History of Laws Protecting LGBTQIA+ Workers from Discrimination and Harassment in the Workplace in Colorado

Are No-poach Agreements Legal?

Colorado Legislature Passes Amendments to Equal Pay for Equal Work Act

The End of COVID Public Health Emergency Leave

Colorado Legislature Passes Significant Changes to Workplace Harassment Laws

When Does Colorado's New Law on Covenants Not to Compete Require Written Notice?

NLRB Ruling Holds Confidentiality and Non-Disparagement Clauses Violated National Labor Relations Act

Fair Workweek Bill Fails in Colorado Legislature

POWR Bill Introduced in Colorado Senate

Supreme Court Confirms Strict Compliance Required to Exempt Highly Compensated Employees From Overtime Regulations

Denver Enacts New Wage Theft Ordinance

FTC Proposes Rule Banning Non-Compete Agreements for All Employees

Public Health Emergency Leave Expanded to Include Flu and other Respiratory Illnesses

Supreme Court Hears Affirmative Action Cases

Changing Times Creates Employment Law Minefield: Summary on Recent and Upcoming Changes to Employment Law

U.S. Department of Labor Proposes New Rule Regarding Independent Contractors

Criminal Issues in the Workplace

New Employment Laws Go Into Effect August 10, 2022

Lobbying and Employment Law

New Law Requires Notice of Reason for Termination

Is Hair a Protected Class?

2022 Colorado Legislative Session Brings Big Changes to Employment Law

Forced Arbitration Injustice Repeal Act (“FAIR Act”)

Does Your Company Need a Privacy Policy?

IT Forensics: Technology Security Issues That Employers Should Keep Top of Mind

“Sticks and stones can break my bones, but names can never hurt me…” Should Non-Disparagement Provisions be Included in Employment Agreements?

United States Women’s National Soccer Team Secures Historic $24 Million Equal Pay Settlement

Senate Passes Landmark Bill Ending Forced Arbitration of Workplace Sexual Harassment and Assault Claims

Can You Provide Different Benefits to Different Employees?

Happy New Year: Ready or Not, Here Comes 2022!

Senate Bill SB 21-217

Sixth Circuit to Preside Over Challenge to OSHA Vaccine Mandate

Court of Appeals Issues Temporary Stay of OSHA Vaccine Mandate

Navigating A Patchwork of Employment Laws: An HR Perspective

How A Recently Overturned Colorado Supreme Court Law Affects Employers

Dealing with A Patchwork of Employment Laws: Colorado Checklist 

Employment Law for Boards of Directors

Terminations

Recap of Employment Law in the 2021 Colorado Legislative Session

HR and Employment Law Considerations for Returning to Work After COVID-19

Litigation

Tips for a Successful Partnership with Your Employment Lawyer

Employment Law for Start-Ups

Can Employers Force Employees to Return to the Workplace?

Separation Agreements

Bill Introduced in Colorado Legislature Would Substantially Expand Employment Discrimination Law

Considerations for Departing Executives

Measures to Reduce Risk upon Separation

Colorado Statute Limits Use of Employee’s Personal Social Media Accounts for Business Purposes

Traps for the Unwary Executive or Founder When Offering Securities

Tax Considerations with Severance Pay: Section 409A

New Colorado Requirements for Job Postings Outside of an Employer's Organization

Termination of the Employment Relationship

Employment Law Changes To Expect Under the Biden Administration

Attorneys’ Fees Provisions

Golden Parachute or Golden Handcuffs?

CDLE Invokes Public Health Emergency Provisions of Healthy Families and Workplaces Act for 2021

Arbitration Agreements

Choice of Law and Venue

Newsflash: Pay Equity Law Goes Into Effect

Intellectual Property

I’ve been offered stock options. What should I do before I accept them?

Paid Family Leave Ballot Initiative Passes in Colorado

Issuing Stock Options

Garden Leave

Non-Compete/Non-Solicitation Agreements

Employment Agreements

Newsflash: State Paid Leave Legislation

Independent Contractors

Duty of Loyalty

Commissions and Non-Discretionary Bonuses

Deferred Compensation