Summary
affirming the denial of unemployment insurance benefits based upon work-related misconduct where a hospital secretary accessed a patient's confidential medical records for a non-work related reason knowing that it violated the hospital's confidentiality policy concerning HIPAA
Summary of this case from Hadley v. Reemployment Assistance Appeals Comm'nOpinion
Docket No. 1–11–1835.
2012-12-19
Fran PESOLI, Plaintiff–Appellant, v. The DEPARTMENT OF EMPLOYMENT SECURITY; Director of The Department of Employment Security; The Board of Review; And Advocate Health Hospital Corporation, Defendants–Appellees.
Law Office of Bert Zaczek, of Chicago (Bert Zaczek and Amy Pikarsky, of counsel), for appellant. Lisa Madigan, Attorney General, of Chicago (Michael A. Scodro, Solicitor General, and Elaine Wyder-Harshman, Assistant Attorney General, of counsel), for appellees.
Law Office of Bert Zaczek, of Chicago (Bert Zaczek and Amy Pikarsky, of counsel), for appellant. Lisa Madigan, Attorney General, of Chicago (Michael A. Scodro, Solicitor General, and Elaine Wyder-Harshman, Assistant Attorney General, of counsel), for appellees.
OPINION
Presiding Justice NEVILLE delivered the judgment of the court, with opinion.
¶ 1 Fran Pesoli appeals from an order of the circuit court affirming the decision of the Board of Review of the Illinois Department of Employment Security (Board) which denied Pesoli's claim for unemployment insurance benefits pursuant to section 602(A) of the Illinois Unemployment Insurance Act (Act). 820 ILCS 405/602(A) (West 2008). On appeal, Pesoli contends that the evidence does not support the Board's finding that she was discharged for misconduct connected with her work.
¶ 2 We find that the Board's finding that Pesoli accessed a patient's confidential hospital records outside of her job responsibilities was not contrary to the manifest weight of the evidence. We hold that the Board's decision, that Pesoli was ineligible for unemployment insurance benefits under section 602(A) of the Act based on misconduct connected with her work, was not clearly erroneous because Pesoli was aware of her employer's confidentiality rule or policy and she disregarded the policy, which made her conduct willful, deliberate and potentially harmful to her employer. Accordingly, we affirm the Board's decision.
¶ 3 Background
¶ 4 Pesoli worked as a secretary in the radiation oncology services department at Advocate Lutheran General Hospital (Advocate) from August 1997 until her discharge on September 28, 2009. Advocate discharged Pesoli for accessing a patient's hospital records which was a violation of Advocate's confidentiality policy and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) ( Pub. L. No. 104–191, 110 Stat. 1936) (codified as amended in scattered sections of titles 18, 26, 29 and 42 of the United States Code).
Documents in the record use the dates September 28 and 29, 2009, when referring to Pesoli's discharge. We will use the date of September 28, 2009, as the date of Pesoli's discharge because that date was on Pesoli's misconduct questionnaire and on Advocate's corrective action notice.
¶ 5 Advocate's confidentiality policy provides in pertinent part as follows:
“Associates may only access computerized data from an Advocate system when necessary for the proper performance of their job responsibilities. All information contained in any Advocate computerized information system constitutes private, confidential information.”
* * *
“If an associate wrongfully uses and/or discloses confidential information, the associate may be subject to corrective action up to and including termination of their employment.”
Advocate's confidentiality policy explained to its employees when they could access a patient's computerized data and made it clear that wrongful use or disclosure of the information could lead to termination of their employment.
¶ 6 Pesoli applied for unemployment insurance benefits with the Illinois Department of Employment Security (Department). The claims adjudicator found Pesoli eligible for benefits. Advocate appealed the claims adjudicator's decision and argued that Pesoli was ineligible for unemployment insurance benefits because she was discharged for “misconduct” based on section 602(A) of the Act. 820 ILCS 405/602(A) (West 2008).
¶ 7 Section 602(A) of the Act provides in pertinent part:
“An individual shall be ineligible for benefits for the week in which he has been discharged for misconduct connected with his work * * *. * * * For purposes of this subsection, the term ‘misconduct’ means the deliberate and willful violation of a reasonable rule or policy of the employing unit, governing the individual's behavior in performance of his work, provided such violation has harmed the employing unit or other employees or has been repeated by the individual despite a warning or other explicit instruction from the employing unit.” 820 ILCS 405/602(A) (West 2008).
¶ 8 A telephone hearing was held by a referee pursuant to section 800 of the Act. 820 ILCS 405/800 (West 2008). At the hearing, Butler testified that the hospital used a password-protected computer system to store patients' information. Butler explained that Advocate prohibited its employees from accessing computerized patient information unless accessing such information was related to the performance of the employee's job responsibilities. According to Butler, Advocate's employees received training regarding the privacy requirements under HIPAA and were required to sign a HIPAA confidentiality agreement annually, and information concerning patients' privacy was reviewed at staff meetings.
¶ 9 Butler also testified that on September 21, 2009, one of Pesoli's coworkers, whose name was not disclosed, called and complained that Pesoli was “on the computer and calling people about a young child who had been hit by a car” and that the child was Pesoli's neighbor. After the complaint was made, Advocate conducted an audit of the hospital's computer logs. The audit revealed that Pesoli had accessed the child's hospital records and that the child was a patient in the pediatric intensive care unit of the hospital.
¶ 10 Butler further testified that she and Lisa Hack, a human resources representative, met with Pesoli. Hack showed Pesoli the patient's hospital records that were accessed and the audit trail showing that the information was accessed from Pesoli's computer. After seeing the records and the audit trail, Pesoli responded, “oh, yeah, that child lives in my neighborhood and my son was there when she was hit by a car. And so I was looking in the computer to see if she was still in the hospital.” Hack told Pesoli that accessing a patient's hospital records that were unrelated to radiation oncology was a terminable offense and that Pesoli was being discharged. According to Butler, Pesoli had never received a prior warning about a HIPAA violation, but Butler escorted Pesoli to her office, where Pesoli packed her personal belongings and repeatedly asked, “why am I so stupid?”
¶ 11 Pesoli testified that when Hack and Butler confronted her, she told them several times that she did not recognize the child or the child's name. When the referee pointed out that she had made a different statement during her interview with the claims adjudicator, Pesoli admitted that she did recognize the child, after seeing the diagnosis, “trauma,” on the document, but she denied accessing the child's hospital records.
¶ 12 Pesoli testified that she received an email earlier that morning before she met with Hack and Butler. The email came from a parent at the child's grammar school, which her son attended years ago. The email contained detailed information about the child's injury and the fact that the child was a patient in the hospital.
¶ 13 Pesoli explained that it was a common practice for employees within her department to access patients' information from the nearest available computer in order to redirect callers who had mistakenly called the radiology oncology department. Therefore, Pesoli maintained that someone else could have accessed the patient's information while she was logged in on her computer but was away from her desk.
¶ 14 While Pesoli testified that she did not know that accessing a patient's information on the computer was grounds for immediate termination, Pesoli admitted in her closing statement that she was aware that she was not allowed to access patients' information unless it was related to her job responsibilities. Finally, Pesoli claimed that Advocate did not explain in layman's terms the full extent of HIPAA, and she thought that she was being terminated for opening the email.
¶ 15 The referee found that Pesoli was discharged for work-related misconduct and was ineligible for benefits under section 602(A) of the Act. 820 ILCS 405/602(A) (West 2008). Therefore, the referee reversed the claims adjudicator's decision, and Pesoli filed an appeal with the Board.
¶ 16 The Board found that Advocate had provided credible evidence that Pesoli accessed a patient's hospital records that were not connected with her job responsibilities in violation of the hospital's confidentiality agreement concerning HIPAA. The Board also found that Pesoli had admitted accessing the patient's hospital records when confronted with the evidence. The Board further found that it was unlikely that someone else looked up the information given that the patient whose information was accessed was Pesoli's neighbor. Based on the evidence, the Board determined that Pesoli had been discharged for work-related misconduct and was ineligible to receive unemployment insurance benefits under section 602(A) of the Act.
¶ 17 Pesoli filed an administrative review action in the circuit court and the court affirmed the Board's decision. Pesoli now appeals pursuant to Supreme Court Rule 303. Ill. S.Ct. R. 303(a) (eff. May 30, 2008).
¶ 18 ANALYSIS
¶ 19 Standard of Review
¶ 20 In reviewing a decision by an administrative agency, reviewing courts must review the final decision of that agency. Abbott Industries, Inc. v. Department of Employment Security, 2011 IL App (2d) 100610, ¶ 15, 352 Ill.Dec. 432, 954 N.E.2d 292. Therefore, we review the decision by the Board, which made the Department's final determination regarding Pesoli's claim. See Abbott Industries, Inc., 2011 IL App (2d) 100610, ¶ 15, 352 Ill.Dec. 432, 954 N.E.2d 292. Reviewing courts apply different standards of review depending on whether the question presented is one of fact or law. City of Belvidere v. Illinois State Labor Relations Board, 181 Ill.2d 191, 204, 229 Ill.Dec. 522, 692 N.E.2d 295 (1998). In reviewing the Board's findings of fact, we deem those findings prima facie true and correct and will reverse only if they are against the manifest weight of the evidence. Abbott Industries, Inc., 2011 IL App (2d) 100610, ¶ 15, 352 Ill.Dec. 432, 954 N.E.2d 292. Conversely, when the issue involves the agency's findings on a question of law, our review is de novo. City of Belvidere, 181 Ill.2d at 205, 229 Ill.Dec. 522, 692 N.E.2d 295. Finally, where the agency's decision presents a mixed question of fact and law, we apply the clearly erroneous standard of review and will reverse only if our review of the entire record leaves us with the definite and firm conviction that the decision was a mistake. AFM Messenger Service, Inc. v. Department of Employment Security, 198 Ill.2d 380, 395, 261 Ill.Dec. 302, 763 N.E.2d 272 (2001).
¶ 21 The Sufficiency of the Evidence
¶ 22 Pesoli argues that Advocate failed to produce credible evidence to support its allegation that she engaged in work-related misconduct. Specifically, Pesoli argues that (1) Advocate failed to present the coworker who witnessed her accessing the patient's records on the computer, and (2) Advocate failed to produce the documentary evidence, audit records, which Advocate claimed would show that Pesoli accessed the patient's confidential information from her computer. The Department responds by arguing that Pesoli has waived these arguments because she failed to raise them during the administrative hearing and is raising them for the first time before this court.
¶ 23 It is well settled that if an argument, issue, or defense is not presented in an administrative hearing, it is procedurally defaulted and may not be raised for the first time on administrative review. Cinkus v. Village of Stickney Municipal Officers Electoral Board, 228 Ill.2d 200, 212, 319 Ill.Dec. 887, 886 N.E.2d 1011 (2008); Hurst v. Department of Employment Security, 393 Ill.App.3d 323, 328, 332 Ill.Dec. 777, 913 N.E.2d 1067 (2009). Our review of the record reveals that at no time during the proceedings before the Board did Pesoli raise the aforementioned arguments. Therefore, we hold that Pesoli's arguments regarding Advocate's failure to call the coworker as a witness and to introduce the audit records are procedurally defaulted.
¶ 24 Pesoli also argues that Butler's testimony that a coworker told her that Pesoli accessed the patient's hospital records was hearsay. We note that section 3–111(b) of the Code of Civil Procedure provides that “[t]echnical errors in the proceedings before the administrative agency or its failure to observe the technical rules of evidence shall not constitute grounds for the reversal of the administrative decision unless it appears to the court that such error or failure materially affected the rights of any party and resulted in substantial injustice to him or her.” 735 ILCS 5/3–111(b) (West 2008). Moreover, “[i]t is well established that when hearsay evidence is admitted without an objection, it is to be considered and given its natural probative effect.” Jackson v. Board of Review of the Department of Labor, 105 Ill.2d 501, 508, 86 Ill.Dec. 500, 475 N.E.2d 879 (1985). Here, Pesoli did not object to Butler's hearsay testimony and, given the fact that Pesoli admitted that she accessed the patient's hospital records, there was overwhelming properly admitted evidence of Pesoli's misconduct. Therefore, there was no injustice in admitting the hearsay testimony. Accordingly, the Board did not err when it considered Butler's hearsay testimony.
¶ 25 Next, we will consider whether the other evidence that was properly admitted at the hearing was sufficient to support the Board's finding of misconduct. Pesoli also maintains that Butler's testimony that she admitted accessing the patient's hospital records was insufficient to establish that she was guilty of misconduct. We note that Pesoli testified that when Hack and Butler confronted her, she told them that she recognized the child's name, but she was referring to the email that she had opened that morning at work and not the patient's hospital records. We also note that Butler testified that Hack showed Pesoli the patient's hospital records and the audit trail and that Pesoli admitted accessing the patient's hospital records.
¶ 26 The Board determines the facts and issues in each appeal as the ultimate fact finder, taking the referee's findings into consideration. Caterpillar, Inc. v. Doherty, 299 Ill.App.3d 338, 344, 233 Ill.Dec. 889, 701 N.E.2d 1163 (1998). It is the Board's responsibility to weigh the evidence, evaluate the credibility of the witnesses and resolve conflicts in testimony. Caterpillar, 299 Ill.App.3d at 344, 233 Ill.Dec. 889, 701 N.E.2d 1163. Our task is to determine whether the Board's findings of fact are contrary to the manifest weight of the evidence. City of Belvidere, 181 Ill.2d at 205, 229 Ill.Dec. 522, 692 N.E.2d 295.
¶ 27 The Board found that Butler's testimony was more credible than Pesoli's because it was unlikely that someone other than Pesoli looked up the patient's hospital records when the patient happened to be Pesoli's neighbor. We find that the Board's finding that Pesoli admitted that she accessed the patient's hospital records was reasonable and clearly supported by evidence in the record. Therefore, we hold that the Board's finding was not contrary to the manifest weight of the evidence.
¶ 28 Misconduct
¶ 29 In order to determine whether Pesoli's unauthorized access of the patient's hospital records constituted misconduct under the Act, three elements must be proven: (1) that there was a deliberate and willful violation of a rule or policy of the employing unit; (2) that the rule or policy of the employing unit was reasonable; and (3) that the violation either has harmed the employer or was repeated by the employee despite previous warnings. See 820 ILCS 405/602(A) (West 2008); Czajka v. Department of Employment Security, 387 Ill.App.3d 168, 173–74, 327 Ill.Dec. 108, 901 N.E.2d 436 (2008).
¶ 30 First, we must determine whether Pesoli deliberately and willfully violated a rule or policy of the employer. “Willful conduct stems from an employee's awareness of, and conscious disregard for, a company rule.” Livingston v. Department of Employment Security, 375 Ill.App.3d 710, 716, 313 Ill.Dec. 820, 873 N.E.2d 444 (2007) (citing Wrobel v. Department of Employment Security, 344 Ill.App.3d 533, 538, 279 Ill.Dec. 737, 801 N.E.2d 29 (2003)). Pesoli admitted during the telephone hearing that she was aware of the policy against accessing a patient's hospital records unless it was related to her job responsibilities. Pesoli also admitted to Butler and Hack that she looked up the child's hospital records because the child lived in her neighborhood and she was checking to see if the child was still in the hospital. Pesoli's reason for accessing the patient's hospital records was not work related. Based on the aforementioned admissions, we find that Pesoli was aware of Advocate's policy and consciously disregarded the policy. Therefore, we find that Pesoli's access of the patient's hospital records for non-work-related purposes was a willful and a deliberate violation of a rule or policy of Advocate, the employing unit.
¶ 31 Second, we must determine whether the employer's rule or policy was reasonable. “A reasonable rule concerns ‘standards of behavior which an employer has a right to expect’ from an employee.” Livingston, 375 Ill.App.3d at 716, 313 Ill.Dec. 820, 873 N.E.2d 444 (quoting Bandemer v. Department of Employment Security, 204 Ill.App.3d 192, 195, 149 Ill.Dec. 699, 562 N.E.2d 6 (1990)). HIPAA is a federal law that has established standards and requirements for the electronic transmission of certain health information. 42 U.S.C. § 1320d-(2006) (purpose). HIPAA applies to a number of “covered entities,” which includes health care providers, like Advocate. 42 U.S.C. § 1320d–1(a)(3) (2006). Under HIPAA, Advocate was required to maintain reasonable and appropriate administrative, technical and physical safeguards to (1) ensure the integrity and confidentiality of health information, (2) to protect against unauthorized uses and disclosure of the information, and (3) to ensure that its officers and employees were in compliance with HIPAA. 42 U.S.C. § 1320d–2(d)(2) (2006). In order to comply with HIPAA, Advocate promulgated its confidentiality policy. Therefore, because HIPAA requires entities, including Advocate, to protect the privacy of patients' health information, and because Advocate promulgated the rule or policy to comply with HIPAA and to protect the confidentiality of its patients' health information, we hold that Advocate's confidentiality rule or policy was reasonable.
¶ 32 Third, we must determine whether Pesoli's violation harmed Advocate or whether Pesoli's violation was repeated despite previous warning. Butler testified that Pesoli did not receive any prior warning about accessing patients' records that were unrelated to her work. Therefore, in order to satisfy the third element, Pesoli's conduct must have harmed the employer. Harm to the employer is not limited to actual harm, but harm can be established by showing potential harm. Hurst, 393 Ill.App.3d at 329, 332 Ill.Dec. 777, 913 N.E.2d 1067 (and cases cited therein). Because Advocate is a hospital and federal law requires it to keep patients' health information confidential, patients have a right to expect that their hospital records will be kept private and free from unauthorized access. Therefore, Advocate could experience potential harm from the loss of business or lawsuits, if potential patients discovered that their confidential health information is accessed by Advocate's employees for reasons unrelated to their job responsibilities.
¶ 33 The evidence in the record clearly established that Pesoli received training regarding the privacy requirements under HIPAA, that Pesoli was aware of Advocate's rule or policy prohibiting the unauthorized access of patients' health information based on HIPAA, and that Pesoli disregarded the rule. Pesoli's knowledge and disregard of Advocate's policy made her conduct deliberate and willful in conscious contravention of Advocate's confidentiality policy concerning HIPAA and could cause potential harm to Advocate. Therefore, we find that Pesoli's access of the patient's hospital records outside of her job responsibilities constituted misconduct under section 602(A) of the Act. Accordingly, we hold that the Board's conclusion that Pesoli was ineligible for benefits under section 602(A) of the Act based on misconduct connected with her work was not clearly erroneous.
¶ 34 CONCLUSION
¶ 35 We hold that the Board's finding that Pesoli accessed the patient's hospital records outside of her job responsibilities was not contrary to the manifest weight of the evidence because the Board's finding was supported by evidence in the record. We also hold that the Board's decision, that Pesoli was ineligible for unemployment insurance benefits under section 602(A) of the Act based on misconduct connected with her work, was not clearly erroneous. Accordingly, we affirm the Board's decision.
¶ 36 Affirmed.
Justices STEELE and STERBA concurred in the judgment and opinion.