She viewed the record for just 18 seconds – her supervisor pushed for leniency, but HR held firm
An Ohio hospital fired a social worker for accessing patient records to report a coworker's HIPAA violation – and an appeals court said that was fine.
In a decision handed down on April 24, 2026, the First Appellate District of Ohio affirmed summary judgment in favor of UC Health, LLC, finding the healthcare system had an overriding business justification for terminating Danielle Drake, a social worker in its emergency department, after she accessed a patient's protected health information without authorization. The case lands squarely in a gray zone that HR leaders in regulated industries know well: what happens when an employee breaks one rule while trying to enforce another?
Drake had worked in UC Health's emergency department since 2014. On December 8, 2023, she overheard a coworker on the phone with a patient's family member and believed the coworker was disclosing the patient's protected health information in violation of HIPAA. UC Health offered several ways for employees to report suspected violations, including a hotline, an email address, a reporting form known as MIDAS, and direct reports to a manager. Drake said she could not complete the MIDAS form because she did not know the patient's name. Compliance records later showed that on the same day, she pulled up a patient floor list for a floor of the hospital she was not working on and viewed the patient's identity report for 18 seconds.
Three days later, Drake reported the suspected violation to her supervisor. When she did not hear back, she followed up with a different supervisor in January 2024. That follow-up triggered an investigation into the coworker, and during the process, UC Health realized Drake knew more about the patient than the care team did. The compliance department confirmed her access.
When her supervisor inquired, Drake initially did not recall viewing the record but later acknowledged she must have done so to get the patient's name for her report. UC Health's internal policy limited access to patient records to three purposes: treating the patient, billing, or managing a department. Drake's access did not fall within any of them.
Her supervisor pushed back on the termination recommendation, telling HR that Drake had acted in good faith and only briefly viewed the record. He also raised concerns about the impact a termination could have on future good-faith reporting. HR held firm. The organization's strict practice, its chief compliance officer later testified, was automatic termination for unauthorized access to patient records. Both the senior HR partner and Drake's supervisor said they were unaware of any instance in which UC Health had handled such a violation differently.
Drake was terminated on February 7, 2024. She sued, arguing the firing violated Ohio public policy because her access was motivated by an effort to report illegal conduct. The trial court sided with UC Health, and the appellate court agreed. The three-judge panel found that Drake failed to show the employer's stated justification was pretextual.
Her argument that UC Health's progressive discipline policy should have applied fell short – the policy permitted termination for this type of violation and did not require lesser discipline first. Text messages Drake submitted from a coworker who claimed she had not been fired for a similar violation were discounted as hearsay because the coworker never testified. The court also declined to weigh in on whether HIPAA itself would have permitted Drake's access, noting that UC Health fired her for violating its own internal policy, not federal law.
For HR professionals, the case is a reminder that strict enforcement of data access policies can hold up in court, even when the employee's intentions are good. But it also exposes a design flaw that employers should take seriously. If the only way for an employee to report a suspected privacy violation is to commit one, the reporting system has a gap. Drake said she accessed the record because she could not complete the required form without the patient's name. Whether that explanation changes the ethics of the situation is debatable. What is harder to debate is that UC Health's own supervisor flagged the problem in real time – and HR held to its standard practice regardless.
