Drake v. UC Health — Court affirms termination for unauthorized patient record access was not against public policy

Case
Drake v. UC Health, LLC, 2026-Ohio-1483
Court
Ohio Court of Appeals, First Appellate District
Date Decided
April 24, 2026
Docket No.
C-250581
Topics
At-will employment; Public policy exception; Healthcare privacy; HIPAA

Background

Danielle Drake worked as a social worker in UC Health’s emergency department beginning in 2014. In December 2023, Drake overheard a phone call in which she believed a coworker improperly disclosed a patient’s private health information (PHI) in violation of HIPAA. Drake reported the suspected violation to her supervisor on December 11, 2023, and followed up on January 12, 2024, when she did not hear back. During UC’s investigation of the coworker, UC discovered that Drake herself had accessed the same patient’s PHI without authorization on December 8, 2023—the day of the alleged coworker violation. Drake accessed the patient’s identity report by first viewing a floor list for a hospital floor she was not working on, viewing the document for only 18 seconds. Drake later admitted that her purpose was to obtain the patient’s name so she could complete an incident report (MIDAS form) to report the coworker’s suspected HIPAA violation.

UC’s workplace policy restricted employee access to PHI to “legitimate business reasons,” defined as involvement in patient treatment, billing, or department management. Drake’s access fell outside all three categories. UC’s compliance department, her supervisor, and HR conferred about the unauthorized access. HR advised that UC’s strict practice is to terminate employees who access patient PHI in an unauthorized manner. Drake’s supervisor asked whether lesser discipline was appropriate given Drake’s good faith motivation and brief access, but HR reiterated that termination was the standard remedy. Drake was terminated on February 7, 2024, for “[u]nauthorized or otherwise inappropriate access, use, handling, or disclosure of confidential patient health information (PHI).” Drake sued for wrongful termination in violation of public policy.

The Court’s Holding

The Ohio Court of Appeals affirmed summary judgment for UC Health, holding that Drake failed to establish a genuine issue of material fact regarding the “overriding justification” element of her wrongful termination claim. The court applied Ohio’s four-part test for wrongful discharge in violation of public policy: (1) clear public policy, (2) jeopardy to that policy from similar terminations, (3) causation between conduct and termination, and (4) absence of overriding legitimate business justification. While Drake may have established the first three elements, she failed on the critical fourth prong.

UC presented an undisputed overriding business justification: Drake violated UC’s clear workplace policy prohibiting unauthorized PHI access. Drake admitted accessing the patient’s record, and this fact was confirmed by UC’s compliance records. The court rejected Drake’s arguments that her conduct fell within the legitimate business purpose exception, noting that her access was not for treatment, billing, or department management—the only purposes permitted under UC policy. The court also rejected Drake’s arguments about pretext, finding no evidence that UC deviated from its strict practice of terminating employees for unauthorized PHI access, that UC required progressive discipline before termination, or that other employees similarly violated the policy without being fired. The court noted that Drake relied on inadmissible hearsay regarding another employee’s treatment and that HIPAA itself did not require UC to permit Drake’s access, as UC’s termination was based on its own policy, not federal law compliance.

Key Takeaways

  • At-will employees in healthcare can be terminated for violating strict PHI access policies, even when motivated by good faith reporting of other violations.
  • Good faith motive does not shield an employee from termination if the method of reporting violates established workplace policies.
  • Employers are entitled to enforce clear, written policies regarding patient privacy without meeting a public policy exception to at-will employment.
  • Progressive discipline is not legally required before termination for unauthorized access to confidential health records.

Why It Matters

This decision significantly limits the public policy exception to at-will employment in healthcare. It establishes that even when an employee’s underlying motivation—reporting a legal violation—might align with public policy, the employee cannot bypass established workplace procedures. Drake v. UC Health clarifies that healthcare providers may enforce strict, zero-tolerance PHI access policies without violating public policy, and that employees cannot gain protection under the public policy exception by claiming their unauthorized access served a whistleblowing purpose. This leaves employees with limited recourse if they believe existing reporting channels are inadequate.

The decision also reflects the tension between two competing interests: protecting patient privacy through strict healthcare workplace policies and protecting employees who act in good faith to report legal violations. By prioritizing employer policy enforcement, the court signals that whistleblowers in healthcare must use designated reporting mechanisms—such as UC’s compliance hotline, email reporting, and MIDAS forms—rather than independently accessing records. The holding may discourage informal fact-gathering by healthcare workers investigating suspected violations, even when they lack sufficient information to use formal channels.

✉️ Get tomorrow’s cases before your first coffee
Daily Case Law is our free morning digest — the most substantive new decisions, filtered to your jurisdictions and topics, each linking back here for the full analysis.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top