Is this a HIPPA violation?

Amik · #1 Jul 24, 2007, 03:51 PM

I worked at a hospital as director of a department. To be able to download and access particular records in the department my password was used. Tow employees used the password and when I asked the IT department to allow me to change my password they refused since the program we were using to access the particular records was connected to m y email address password and they could not change it. I just found out that my email address at that job is still active and they could actually be responding to my emails without my knowledge. And worse, those who may have my old email address in their address books may be sending me emails and since I am not responding I look incompetent. Is this legal? How can I stop them?

Amik · Jul 24, 2007, 08:33 PM

Thank you for your input. It just blows me away that they can use my name in an email and respond when I no longer work there.

LearningAsIGo · Jul 25, 2007, 06:44 AM

I don't believe them.
We had a similar situation at work... turns out the Compliance Officer found out some of our employees were sharing their passwords. We are all medical professionals who are all within limits to see the information shared, but we were all forced to change our passwords if we were the actual offenders or not.
Here, when an employee leaves their email and all accounts are terminated immediately. (I work for a health care provider with over 500 employees and only 5 are computer admins but they still manage to do all of this)
The way I understand it, no matter who is ALLOWED to view the information isn't the issue... its how you obtain it. Using YOUR sign on information should NOT be allowed...though I'm not sure if my experience is actual HIPPA or my company holds higher standards (I doubt it!

) If they have permission to view/use the info, why don't they have their own sign on? They shouldn't need yours...

google HIPPA - they have a website that may help you get to the bottom of this.

vingogly · Oct 29, 2007, 07:54 AM

The HIPAA Security Rule requires organizations to have a policy for password and account usage that applies to email if that email is used for exchanging Protected Health Info (PHI). If email is used this way, it *must* be securely encrypted even if the usage is internal and steps taken to ensure that your email is not viewable by others. If your email was not used for PHI, then the organization can do what it wants with it - HIPAA Security Rule does not apply in this case. The organization should have a written policy that describes how PHI is used in electronic media. If it doesn't, that is itself a HIPAA violation.

Vasily



At Ask Me Help Desk you can ask questions in any topic and have them answered for free by our experts. To ask questions or participate in answering them you must register for a free account. By registering you will be able to: Get free answers from experts in any of our 300+ topics. Accept money for answers that you provide. Communicate privately with other members (PM). See fewer ads. Sign Up!