[kaylabug53]

Has my immediate supervisor violated HIPPA by inserting my private medical information into a corrective action document, which was ultimately signed by our Administrator? I had, privately, shared a health concern with my immediate supervisor.

[ScottGem]

No, since you volunteered the info.

[Wildsporty]

You volunteered the information to the supervisor, did you authorize her to give the information to the administrator?

Under HIPAA she is not authorized to give your medical information to another person without your authorization unless it is needed to conduct business .

The Rule says:
The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose

If the Administrator needed the information for some work related reason than it is not a violation. If the Administrator did not need the information that it is a violation.

Records and documents relating to medical certifications, recertifications or medical histories of employees or employees' family members, created for purposes of FMLA, shall be maintained as confidential medical records in separate files/records from the usual personnel files, and if ADA is also applicable, such records shall be maintained in conformance with ADA confidentiality requirements (see 29 CFR Sec. 1630.14(c)(1)), except that: (1) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodations; (2) First aid and safety personnel may be informed (when appropriate) if the employee's physical or medical condition might require emergency treatment; and (3) Government officials investigating compliance with FMLA (or other pertinent law) shall be provided relevant information upon request.

It is a pretty fine line whether it was needed for business reasons or not, especially since the rules say that it may be disclosed to supervisors or managers. The deciding factor would be whether it was needed to conduct reasonable business.

This is what I would recommend you to do. Right now write a note to the supervisor saying :

Date________________

Under the HIPAA act , I revoke any authorization given or applied by me in release of my medical information which I released to you on _____date. I do not wish it to be released to anyone from this day foreword without my written authorization.

I wish this medical PSI be placed in a place where no personnal other than yourself has access to it.

Signed __________________________.

Photocopy this notice. Give this personally to your supervisor and note the date and time on your copy that you gave it to her.

After you do this if you find out the information has been given to someone else.. file a violation claim with the HHS and they will investigate. There are hefty penalties associated with leaking PSI.

It will not take it back from whomever has seen it already, but I am pretty sure it will stop it from going any further. You have a right to that privacy under the privacy rule.

Shirley

[edsnopse]

And it doesn't matter if her action was intentional or due to negligence... There's still a liability.

[J_9]

Do you work for a doctor? Do you work in the health care field?

HIPAA protects the patient. If I, as your nurse, would be talking about your illness and treatment at lunch in a restaurant and was overheard by your neighbor, I, as your nurse, would be held liable for a HIPAA violation.

So, #1, if your employer is not in the healthcare field, then no HIPAA violation has occurred. Basically what HIPAA is, it is the doctor/patient privilege.

#2 You volunteered the information in the first place. Thus, since it was volunteered by you, it is no longer considered a violation.

[Fr_Chuck]

There are work place rules, but a supervisor who is given info that may effect the work place or the work of a worker actually has a obligatoin to the company to inform their manager. The information can not be given out to other workers but can be exchnaged within management that has a need to know.

[Wildsporty]

I agree on the need to know. Yes, HIPAA is about medical information and you are correct about that.

However, it is also an obligation for the employer to keep PSI private. We can be charged fines if we do not. We are even obligated to train the staff on the HIPAA requirements.

There are requirements of employers as well.

Shirley

[Wildsporty]

HIPAA gave employers a manual to use for HIPAA comliance.

Here is a small portion of the explanation of employer responsibility in the page long explanation to introduce the manual.
HIPAA requirements are pretty straight forward for an employer. Below are the main points to HIPAA compliance.

Designate a privacy officer who job it is to understand, develop and implement HIPAA policies and procedures
Identify employees or classes of employees who will have access to PHI and under what circumstances this access will be permitted
Develop a HIPAA training program for your healthcare administration employees
Document all administrative measures and how PHI is to be used and protected including employee sanctions for non-compliance. (Policies and Procedures Manual)
Furnish participants with a written notice of the plan's policies regarding the privacy of and access to PHI. (Notice of Privacy Practices)
Create several forms including reports, employee authorization, complaint and documentation for non-compliance actions
Identify and obtain Business Associate Agreements from third parties involved with the administration of your healthcare plan
Develop security procedures to protect any protected information from internal and external access
Keep the employee medical information separate from the employment information
ER.HIPAAps.com will assist you in this process. When you have completed our steps, you will have a HIPAA Policies and Procedures Manual that outlines (and recommends) actions to take. When you have completed the Manual selections, a tool will be available to train any employees involved with the healthcare plan administration. There also is a library of examples to use to create your own forms with your legal counsel's input.

One last thought, when we were creating a HIPAA tool for employers, we approached it very conservatively. We asked what would an employer need as a healthcare plan sponsor to defend a challenge to HIPAA compliance. From there we worked backwards to build a tool for you to use to create your HIPAA Manual.

Shirley

[ScottGem]

I think J_9 has the salient point here. HIPAA was setp to protect the privacy of patient records but prohibiting HEALTH CARE PROFESSIONIALS who are involved in providing care TO THE PATIENT from revealing any patient info without permission.

In this situation, the medical info was VOLUNTEERED to the person's supervisor. That supervisor felt that info may have had an impact on the employee's performace so included that info in their personnel record. Since the supervisor was not responsible for the health care of the employee and since the information was volunteered by the employee, then HIPAA is not involved at all.

Whether the supervisor committed a breach of ethics by using the information is open to debate. Without knowing the full circumstances, I can see scenarios where the supervisor was correct in their action.

[Wildsporty]

The employer is bound by the HIPAA rules if they sponsor a health plan for the employees.

The following penalties could be charged and the following items are covered by HIPAA for employrs. How many employers have not handled at least one of the items listed below. If one of them is handled by an employer they are covered under the HIPAA regulations.


Taken from HIPAA regulations on Department of Labor :

Civil penalties for HIPAA violations are up to $100 per violation, with a maximum of $25,000 per year per requirement violated. HIPAA also carries criminal penalties: anywhere from $50,000 and one year in prison on the low end to $250,000 and 10 years at the maximum.
What is considered "personally-identifiable health information"?

Health information is considered to be personally identifiable if it relates to a specifically identifiable individual; it generally includes the following, whether in electronic, paper, or oral format:
1. Health care claims or health care encounter information, such as documentation of doctor's visits and notes made by physicians and other provider staff;
2. Health care payment and remittance advice;
3. Coordination of health care benefits;
4. Health care claim status;
5. Enrollment and disenrollment in a health plan;
6. Eligibility for a health plan;
7. Health plan premium payments;
8. Referral certifications and authorization;
9. First report of injury;
10. Health claims attachments.

We deal as employers with health care information in many manners. FMLA, OSHA, Sick Pay Time, Renewal of Health Care Plans, and in dealing with insurance companies and employees.

I am most certainly going to be diligent with my employee's PSI information and I would encourage other employers to be diligent as well. It is just one more regulation to comply with and it is easier to comply than to be out of compliance to later find out we should have complied.

I would rather prevent an instance than try and clean up a mistake.

Anyone can complain of a HIPAA violation to HHS. Than there will be an investigation and an audit. Those are not fun to go through and I would rather not be involved in that.

It only takes one person to say.. "I was terminated or demoted because my supervisor told the owner or CEO that I was sick and gave them my medical information that I gave her in private"... AUDIT..

Shirley
Shirley

[Wildsporty]

Sorry Ladybug... we kind of got away on a soapbox there... I have stepped down now!

If you feel your rights have been violated by the company you have every right to file a complaint.

Here is how you file a complaint with the office for Civil Rights. You cannot be retaliated against for filing a complaint and if nothing comes of it you will know that no violation was committed.

Fact Sheet: HOW TO FILE A HEALTH INFORMATION PRIVACY HOW TO FILE A HEALTH INFORMATION PRIVACY

This sheet has all the forms you need to fill out.

Shirley

[ScottGem]

The employer is bound by the HIPAA rules if they sponser a health plan for the employees.

Yes, but only so far as they receive patient information as part of the health care coverage. So, if the supervisor was informed of an employee's diagnosis through a health care claim then it would be a violation to inform anyone else of that information. That wasn't the case the here.

[edsnopse]

You could argue that it wasn't necessary to divulge the exact nature of your medical issue in the memo. Ex. There's a difference between saying "Mary has a medical condition" and "Mary has a raging case of oozing shingles".

A suggestion for the future is to NEVER share ANYTHING with an employer of personal nature unless you feel that you have to do so to continue your employment. And then, you should do it in writing, explain why you are sharing it, state that it is not to be shared, and keep a copy.

You need to ask yourself: what outcome do you want? Do you want an acknowledgement of wrongdoing? You may get it but may be on the next layoff list. Do you want to punish them? You'll have to go a civil rights office (as suggested) or an attorney who specializes in HR. But be aware that litigation is expensive and holds no guarantee. The sad fact is that employers don't always treat employees with dignity and life isn't always fair. You might do better expending time to find another employer.

Context for my response: I have been on both sides of the fence as both an employer and an employee.

[Wildsporty]

I agree with Edsnopse.

Although if you are really upset over it you can find many attorneys that will take the case on contingency in a minute... Judges have been very nice to employees lately.

Just as an afternote there are new privacy laws in several states that go way beyond the HIPAA in protecting employee privacy and more in legislation. If you are in one of those states such as California with their new Medical privacy laws you could be violating state law without violating HIPAA.





Shirley

[edsnopse]

Wild - That's an interesting development.

[JudyKayTee]

[QUOTE=Wildsporty]I agree with Edsnopse.

Although if you are really upset over it you can find many attorneys that will take the case on consignment in a minute... Judges have been very nice to employees lately.

Just as an afternote there are new privacy laws in several states that go way beyond the HIPAA in protecting employee privacy and more in legislation. If you are in one of those states such as California with their new Medical privacy laws you could be violating state law without violating HIPAA.


I think you mean on contingency, not on consignment.

[JudyKayTee]

[QUOTE=Wildsporty]You have no idea!


Privacy in the Wake of the Internet



.. deleted in part but not changed.

Did you write this or is it copied from a site? I would like more info for my own use but can't find the site.

[ScottGem]

You have no idea!


Privacy in the Wake of the Internet

Please do not reproduce information from elsewhere unless;

• You are the author of that info
• You have express permission to reproduce the info
• You provide attribution for the info
• You provide a link to the source of the info

[edsnopse]

That's an amazing post, Wild. It took two passes to digest.

We're such a social society that our privacy has a value to us and to others. With technology, there's so many ways to violate someone's privacy and so many ways to profit from it. For attorneys, it's probably hot like IT patents used to be.

It's just odd to me that we can't seem to define a violation of privacy in the US - which is the only way it can be outlawed. Then you have legislation like Hipaa, but every time you deal with health benefits, you sign your privacy away. Talk radio recently had a segment about a colossal health data repository under way that will "help people consolidate their health records". Somehow, I don't think that requirement is in the spec.

Also odd is that some people don't seem to care about their privacy. Maybe their attitude changes when something bad happens. I'm for prevention myself.

Caroline Kennedy wrote a book on privacy about 10 years ago that got very good reviews. I still need to read it.

[Wildsporty]

Both. It is an article I read and kept from a seminar I went to one time put on by a local Department of Labor meeting I attend each month. It is DOLEA which stands for Department of Labor employers association. It was given to us as a handout at the seminar.

Shirley