No Funny Business: HIPAA Compliance Is Not An Option

A few days late....my apologies!

You were recently admitted to a local hospital for an emergency procedure. You are also an employee at this same hospital. Your fellow employees were concerned for your wellbeing and one of them innocently asked nursing staff for an update on your condition. Knowing the employee was a coworker, nursing staff obliged.
 
Is this a HIPAA violation? If so, which parties violated your privacy? If not, why not?
 
A local mayor stops into an urgent clinic to be evaluated for a severe sore throat, among other symptoms. The doctor decides to run tests based on a combination of symptoms. The clinic is about to close for the night, so the doctor calls in prescriptions to the mayor’s local pharmacy. The next day the pharmacist calls the clinic to clarify the doctor’s orders and speaks to the nurse. The nurse was not on shift the night before, so the nurse pulls up the mayor’s chart.
 
Did the nurse violate HIPAA? Did the pharmacist?
 
Let me back up and spell out HIPAA for you. It stands for Health Insurance Portability and Accountability Act. The initial aim of the regulation was to guard against wrongful use and disclosure of protected health information (PHI). It also outlines which parties should be allowed to exchange electronic PHI for patient care purposes, particularly health insurance claims. This is a basic explanation from a 30,000-foot level.
 
Let’s discuss what happens if you—meaning healthcare provider, for the purposes of this blog post—violate HIPAA. First, you would have to be someone who was not on a need-to-know basis with regard to an individual’s PHI. In other words, a hospital Information Technician is not typically on such a basis in performing the duties of their job. So what happens to such a person who accesses another person’s PHI without having a legitimate need to know? In general terms, you could be fined up to $250,000 and sentenced up to 10 years in prison per violation.
 
What exactly does that mean? Well, in the first scenario above, the concerned employee could be on the hook for one violation per individual with whom he or she shared your protected health information. Also, he or she could be facing up to ten years in prison. Keep in mind good intention is not a defense. However, I would suspect the coworker in this scenario would likely face a minimal fine or jail time, if any.
 
Even in our cyber-secure world, there are instances of breaches. Whether with intent from an external source or by mistake internally, PHI can get into the wrong hands. In such cases, the organization has a responsibility to alert every single individual with PHI that may or may not have been divulged. This could mean hundreds or even thousands. Imagine the anxiety and mistrust created. It can be hard for an organization to regain the trust of so many patients or customers.
 
Stop and ask yourself if you would want your privacy violated, especially your private health information. Conversely, stop and ask yourself if you are violating your coworker’s privacy by 1) asking medical personnel about your coworker and 2) sharing the information you learned from medical personnel. Would you do the same for any other patient in your facility? The concern you have for your coworker is valid and admirable. But respect his or her privacy and allow your coworker the opportunity to decide what information is shared and with whom.
 
Granted, my examples are in a healthcare setting. But I would argue the same principle applies to other industries. Wages, disciplinary actions, information not yet released to the public, and even company secrets are all things that should be held close to the vest. Of course employees can discuss working conditions including wages and disciplinary actions. As an HR professional, however, I would never discuss wages or disciplinary actions outside the realm of Human Resources. And neither should managers if they wish to have the respect reciprocated.
 
When managers share this information outside of HR, it can create friction among employees and managers, even outside the manager’s department. And while it is customary for leadership to review company secrets and pending developments, what is not customary is sharing this information outside the organization. Transparency is key. I believe in keeping employees informed of what may be around the corner for the organization. This builds trust, commitment, and loyalty. But keep in mind which information may be considered a need-to-know basis within leadership.
 
HIPAA compliance is no laughing matter. Neither is disclosing other types of confidential information. It all comes down to responsibility and accountability. We must all hold ourselves to a high standard when considering whether or not to seek and/or share such information. Of course, there’s also the matter of high fines and jail time. If that doesn’t scare you straight, then I suppose nothing would.  What I know to be true is I don’t look good in orange and I certainly don’t have an extra quarter million dollars.
 

• Have questions about other examples of potential HIPAA violations? Leave a comment!
  
• For full answers to the first two scenarios, leave a comment!