At Ask Me Help Desk you can ask questions in any topic and have them
answered for free by our experts. To ask questions or participate in
answering them you must register for a free account. By registering you
will be able to:
Get free answers from experts in any of our 300+
topics.
Has my immediate supervisor violated HIPPA by inserting my private medical information into a corrective action document, which was ultimately signed by our Administrator? I had, privately, shared a health concern with my immediate supervisor.
You volunteered the information to the supervisor, did you authorize her to give the information to the administrator?
Under HIPAA she is not authorized to give your medical information to another person without your authorization unless it is needed to conduct business .
The Rule says:
The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose
If the Administrator needed the information for some work related reason than it is not a violation. If the Administrator did not need the information that it is a violation.
Records and documents relating to medical certifications, recertifications or medical histories of employees or employees' family members, created for purposes of FMLA, shall be maintained as confidential medical records in separate files/records from the usual personnel files, and if ADA is also applicable, such records shall be maintained in conformance with ADA confidentiality requirements (see 29 CFR Sec. 1630.14(c)(1)), except that: (1) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodations; (2) First aid and safety personnel may be informed (when appropriate) if the employee's physical or medical condition might require emergency treatment; and (3) Government officials investigating compliance with FMLA (or other pertinent law) shall be provided relevant information upon request.
It is a pretty fine line whether it was needed for business reasons or not, especially since the rules say that it may be disclosed to supervisors or managers. The deciding factor would be whether it was needed to conduct reasonable business.
This is what I would recommend you to do. Right now write a note to the supervisor saying :
Date________________
Under the HIPAA act , I revoke any authorization given or applied by me in release of my medical information which I released to you on _____date. I do not wish it to be released to anyone from this day foreward without my written authorization.
I wish this medical PSI be placed in a place where no personnal other than yourself has access to it.
Signed __________________________.
Photocopy this notice. Give this personally to your supervisor and note the date and time on your copy that you gave it to her.
After you do this if you find out the information has been given to someone else..file a violation claim with the HHS and they will investigate. There are hefty penalties associated with leaking PSI.
It will not take it back from whomever has seen it already, but I am pretty sure it will stop it from going any further. You have a right to that privacy under the privacy rule.
Do you work for a doctor? Do you work in the health care field?
HIPAA protects the patient. If I, as your nurse, would be talking about your illness and treatment at lunch in a restaurant and was overheard by your neighbor, I, as your nurse, would be held liable for a HIPAA violation.
So, #1, if your employer is not in the healthcare field, then no HIPAA violation has occurred. Basically what HIPAA is, it is the doctor/patient privilege.
#2 You volunteered the information in the first place. Thus, since it was volunteered by you, it is no longer considered a violation.
There are work place rules, but a supervisor who is given info that may effect the work place or the work of a worker actually has a obligatoin to the company to inform thier manager. The information can not be given out to other workers but can be exchnaged within management that has a need to know.
I agree on the need to know. Yes, HIPAA is about medical information and you are correct about that.
However, it is also an obligation for the employer to keep PSI private. We can be charged fines if we do not. We are even obligated to train the staff on the HIPAA requirements.
HIPAA gave employers a manual to use for HIPAA comliance.
Here is a small portion of the explanation of employer responsibility in the page long explanation to introduce the manual.
HIPAA requirements are pretty straight forward for an employer. Below are the main points to HIPAA compliance.
Designate a privacy officer who job it is to understand, develop and implement HIPAA policies and procedures
Identify employees or classes of employees who will have access to PHI and under what circumstances this access will be permitted
Develop a HIPAA training program for your healthcare administration employees
Document all administrative measures and how PHI is to be used and protected including employee sanctions for non-compliance. (Policies and Procedures Manual)
Furnish participants with a written notice of the plan’s policies regarding the privacy of and access to PHI. (Notice of Privacy Practices)
Create several forms including reports, employee authorization, complaint and documentation for non-compliance actions
Identify and obtain Business Associate Agreements from third parties involved with the administration of your healthcare plan
Develop security procedures to protect any protected information from internal and external access
Keep the employee medical information separate from the employment information
ER.HIPAAps.com will assist you in this process. When you have completed our steps, you will have a HIPAA Policies and Procedures Manual that outlines (and recommends) actions to take. When you have completed the Manual selections, a tool will be available to train any employees involved with the healthcare plan administration. There also is a library of examples to use to create your own forms with your legal counsel's input.
One last thought, when we were creating a HIPAA tool for employers, we approached it very conservatively. We asked what would an employer need as a healthcare plan sponsor to defend a challenge to HIPAA compliance. From there we worked backwards to build a tool for you to use to create your HIPAA Manual.
I think J_9 has the salient point here. HIPAA was setp to protect the privacy of patient records but prohibiting HEALTH CARE PROFESSIONIALS who are involved in providing care TO THE PATIENT from revealing any patient info without permission.
In this situation, the medical info was VOLUNTEERED to the person's supervisor. That supervisor felt that info may have had an impact onthe employee's performace so included that info in their personnel record. Since the supervisor was not responsible for the health care of the employee and since the information was volunteered by the employee, then HIPAA is not involved at all.
Whether the supervisor committed a breach of ethics by using the information is open to debate. Without knowing the full circumstances, I can see scenarios where the supervisor was correct in their action.
The employer is bound by the HIPAA rules if they sponser a health plan for the employees.
The following penalties could be charged and the following items are covered by HIPAA for employrs. How many employers have not handled at least one of the items listed below. If one of them is handled by an employer they are covered under the HIPAA regulations.
Taken from HIPAA regulations on Department of Labor :
Civil penalties for HIPAA violations are up to $100 per violation, with a maximum of $25,000 per year per requirement violated. HIPAA also carries criminal penalties: anywhere from $50,000 and one year in prison on the low end to $250,000 and 10 years at the maximum.
What is considered "personally-identifiable health information"?
Health information is considered to be personally identifiable if it relates to a specifically identifiable individual; it generally includes the following, whether in electronic, paper, or oral format:
1. Health care claims or health care encounter information, such as documentation of doctor's visits and notes made by physicians and other provider staff;
2. Health care payment and remittance advice;
3. Coordination of health care benefits;
4. Health care claim status;
5. Enrollment and disenrollment in a health plan;
6. Eligibility for a health plan;
7. Health plan premium payments;
8. Referral certifications and authorization;
9. First report of injury;
10. Health claims attachments.
We deal as employers with health care information in many manners. FMLA, OSHA, Sick Pay Time, Renewal of Health Care Plans, and in dealing with insurance companies and employees.
I am most certainly going to be diligent with my employee's PSI information and I would encourage other employers to be diligent as well. It is just one more regulation to comply with and it is easier to comply than to be out of compliance to later find out we should have complied.
I would rather prevent an instance than try and clean up a mistake.
Anyone can complain of a HIPAA violation to HHS. Than there will be an investigation and an audit. Those are not fun to go through and I would rather not be involved in that.
It only takes one person to say.."I was terminated or demoted because my supervisor told the owner or CEO that I was sick and gave them my medical information that I gave her in private".....AUDIT....!
Linear Mode
