Responding to a HIPAA Violation in the Office
It Could Happen In Your Office
Since the April 14, 2003 implementation of the HIPAA Privacy Standards, I have personally witnessed HIPAA violations in both the hospital and physician office setting. Violations of HIPAA can and will happen in your practice setting. The most likely scenario is the verbal disclosure of protected health information.
Please consider the following scenario:
Patient discusses with Physician A her feelings of depression and attributes them to her husband's infidelity. Physician A discusses the issue with Physician B in a common area of the office. Employee C overhears the conversation and mentions the conversation to the patient's husband, who plays softball with Employee C. The husband confronts the patient. A very upset patient complains to Physician A that confidential information has been shared with her husband.
The above scenario brings three issues to mind:
(1) Physician A should only be sharing patient information with Physician B if there is a legitimate professional reason to do so (i.e. Physician B has more experience treating depression);
(2) The physicians in the practice should not to discuss patient issues in a common area of the office unless the common area is closed to third parties (i.e. drug representatives, patients, etc.) and the staff is aware that conversations in the area may be protected under HIPAA; and
(3) Employee C should not repeat the information to the patient's husband.
Patient Rights
A patient has the right to file a formal complaint with the provider and with the Department of Health and Human Services in the event of a HIPAA violation. In addition, a patient has a private right of action against the provider for the violation. This right may result in your being named as a defendant in a lawsuit alleging that protected health information was disclosed in violation of HIPAA.
Responding to the Allegation of a HIPAA Violation
Upon receipt of a HIPAA complaint, a provider has an obligation to:
- Document the complaint
- Determine whether a HIPAA violation occurred and how information was disclosed
- Mitigate damages and prevent further disclosure of information
- Provide the patient with an accounting of the disclosure upon request
- Apply appropriate sanctions against employees who fail to comply with HIPAA policies; and
- Document the sanctions that have been applied, if any
Imposition of Employee Sanctions
HIPAA requires that appropriate sanctions be imposed against employees who violate the Privacy Standards. These sanctions may take the form of a reprimand, requirement to attend additional HIPAA training, suspension without pay or even termination. It is important to understand that the imposition of sanctions against an employee raises a number of employment law issues and the compliance officer should consult with a labor attorney prior to the imposition of sanctions in order to minimize liability.
Back to Top of Page
Back to "HIPAA" Index | Back to "Update" Index
|
