HIPAA Q&A

Privacy in the workplace

by Chris Simons, MS, RHIA

Q: I work for a company that provides an array of services to children and adults with mental illness and developmental disabilities. We recently launched an audit of our signed HIPAA forms, which has led to this question: If the guardian for an individual should change, does the new guardian need to sign a HIPAA form?

A: The purpose of the acknowledgment (apart from compliance) is documentation that the legal decision-maker/patient has received the notice of privacy practices. Since the legal decision-maker has changed, the best practice would be to get another acknowledgment, consent for treatment, etc., signed by the new decision-maker. This person should receive the education about privacy necessary to perform his or her role.

Q: What protection is available for a former employee when the former employer falsifies a termination over an alleged HIPAA violation that was never reported as such? I recently requested information from the Office for Civil Rights about the violation, but no such report exists. My former employer did not conduct an internal investigation into the alleged HIPAA violation and did not conduct an access audit, risk assessment, or incident report. I don’t understand how an employer can terminate an employee for an alleged HIPAA violation without investigating the matter. Are there any protections in place to prevent employers from misrepresenting such an act or terminating an employee in such a manner?

A: Some of the answer here depends on your state law and your employer’s employment practices. Many states are at-will employment states, which means the employer has no legal obligation to justify the decision to terminate, absent some federal exclusion. For example, even in an at-will employment state, an employer cannot terminate for discriminatory reasons like race, age, and sex, including "whistle blower" activities on the part of an employee.

Also, remember that determining whether a particular disclosure was a breach and therefore reportable to OCR requires consideration of a number of factors; I can imagine a case where an employee could be terminated but the circumstances do not rise to the level of a reportable breach. The covered entity is responsible to investigate all alleged HIPAA violations and document that investigation, including outcomes, but not necessarily to report each investigation to the OCR.

I believe your concern is more related to employment law than HIPAA, and I suggest consulting an attorney who has experience with your state’s labor laws.

Q: The local police department often calls our hospital asking whether a certain person has been in our emergency department (ED). Once we were asked to contact the police department if a certain person showed up at the ED even though this person had not committed a crime. In this instance, I advised hospital personnel not to give out any patient information. Was this an acceptable approach or do we need to comply with the request of the police department?

A: This depends on your state law. Disclosures to law enforcement are permitted under certain circumstances under HIPAA, but not if state law is more stringent/restrictive. See the HHS website for specific circumstances under HIPAA when PHI can be disclosed without authorization: www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html.

One way to demonstrate cooperation with law enforcement without breaching patient privacy is to encourage the patient to contact law enforcement him- or herself. So, in the example above, the staff could have told the patient of law enforcement’s request and offered to assist the patient in contacting the police. If the patient does not want the police notified, then, I agree, unless certain exceptions apply, we should honor the patient’s wishes. Remember that law enforcement always has the option to obtain a court order or warrant that would compel the covered entity to comply.

Q: What recommendations do you have for handling medical records for staff members who are also patients at the organization where they work? Should we provide extra protection for these patients? What can we do to ensure that staff members are not accessing their coworkers’ records without permission or need?

A: I am a firm believer in not adding special protection to any record, because it implies that some records are more confidential than others. In fact, all records are confidential and staff should not access any record unless it is necessary to do so to do their jobs. And, if it is necessary, they should only access the minimum necessary to do the job. HIPAA requires access monitoring, so your organization should conduct routine audits to determine whether staff are accessing records without a work-related reason. There is now software available that can conduct routine audits by staff member and department. This software can be used to reassure staff that their information is not being accessed by coworkers and to hold accountable those who are not following the policy/law. When a staff member raises a concern, an audit should be run to determine whether inappropriate access has occurred, and if it has, sanctions should be applied. Organizations should also consider having a policy that staff should not handle coworkers’ (or family members’) records (except in an emergency) without the permission of their supervisor.

All of these points should be reviewed at orientation and during (at minimum) annual training to ensure all staff understand that the organization takes such transgressions seriously and will take action as needed to protect the privacy of every patient’s information.

HCPro.com – HIM Briefings