In this article, Joe Campana discusses safe harbor and cites a 2007 Illinois Supreme Court opinion from Bagent v. Blessing Care Corporation, d/b/a Illini Community Hospital (pdf). Campana writes, in part:
An Illinois Supreme Court Case illustrates safe harbor. A health care employee divulged personal health information of a patient in a conversation with a friend. The friend’s sister, the patient, learned that her health information was shared. The health care organization and employee were both sued. The case was argued in the circuit court, appealed and finally argued before the Illinois Supreme Court.
The various courts recognized that the health care organization had written policies and procedures for protecting patient information, that it trained its employees and had them sign confidentiality agreements. The employee was terminated for violating the privacy policy. The courts considered these facts in determining the liability of the heath care organization. Both the circuit court and Supreme Court held that the organization should not be liable. However, the employee still faced common law charges for violation of the patient’s privacy. This suggests that it is important to educate and train employees because they can be held personally liable when there is a privacy violation.