Privacy Officer's Roundtable

HIPAA violation -- family member

  • 1.  HIPAA violation -- family member

    Posted 01-21-2020 03:46 PM
    ​A minor patient comes into the emergency room.  He is registered by a registrar, Employee X.

    Employee X tells Employee Y, another registrar, that minor patient is in the hospital because minor patient is the half-brother of Employee Y.

    Employee Y then texts her father, who is also minor patient's father, that minor patient is in the hospital.

    Is this a HIPAA violation by Employee Y?

    ------------------------------
    Jessica Terranova
    VP, General Counsel and Corporate Compliance Officer
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: HIPAA violation -- family member

    Posted 01-21-2020 03:57 PM
    Why did Employee X tell Employee Y?  If the patient didn't say contact employee Y or Y isn't the emergency contact or there is no work-related reason to tell Y, then to me it appears to be an impermissible use of PHI by Employee X.

    It might also be an impermissible disclosure by Y.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: HIPAA violation -- family member

    Posted 01-22-2020 06:38 AM
    Unfortunately this happens by well-intentioned staff and it's important for them to understand they can't do this. I once had a well-intentioned employee in the ER do this to a family member and the chain of events ended up outing the patient as having cancer, a diagnosis the patient was trying to keep secret. I teach people the "what happens in Vegas stays in Vegas concept" just because I think it's easy to remember - what you learn at work should stay there - even if it's your family/friends.  Here I would think about things that David pointed out. It seems to me that X started this chain of events, not Y, so why did X tell Y? What was the business purpose or was the disclosure authorized by the patient? Other factors that may aggravate: was the patient in for deemed adult services? Ask for a restriction? In the end when you look at all of the factors and do your loproco, you may find this is more of an internal policy violation given that it involves the child's parent.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: HIPAA violation -- family member

    Posted 01-22-2020 06:37 AM
    ​Good Morning -

    I see this as a violation or violations.  1.  Employee X telling Employee Y the minor was there because of the half-brother relationship  is a violation.  The minor may not want anyone to know they are in the ED and the minor may have added protections depending on state laws.   I don't see this disclosure by X to Y as part of their job duties or as part of  treatment, payment, healthcare operations or authorized.
    2.  Employee Y calling her father is a violation for the same reasons.


    Jan

    ------------------------------
    Jan Walton
    Director, Corporate Compliance
    Oaklawn Hospital
    Marshall,MI

    jwalton@oaklawnhospital.com
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: HIPAA violation -- family member

    Posted 01-22-2020 07:12 AM
    Edited by Frank Ruelas 01-22-2020 07:12 AM
    I think...and hope...that focusing on the question "Is this a HIPAA violation by Employee Y?"...and after listening to the podcast yesterday...there is not necessarily a violation by Employee Y.  I ask those studying for the exams, particularly the CHPC to recall the podcast and then read this scenario carefully.

    Though we don't know all of the facts and circumstances...this is not necessarily a violation and I'm not talking about a crazy..."what if"...type of scenario.  Give it some thought.

    ------------------------------
    ► We don't fail unless we quit! ◄
    Next Study Session Topic(s) - The eGroups Shall Decide
    --------Frank Ruelas---------
    ------------------------------

    2020 SCCE Membership


  • 6.  RE: HIPAA violation -- family member

    Posted 01-23-2020 12:57 PM

    Frank,

     

    In the spirit of compare and contrast I agree that all of the facts aren't evident.  On the face of it, though, I would say it is a violation on the part of Employee Y also.  Let's say that Employee Y didn't learn that the minor was in the hospital from Employee X but from another source or by seeing the information in the EHR.  Unless an authorization was present what is the reason for disclosing a patient's information to anyone that did not have a HIPAA need to know?  It is not much different than I, as the employee, see my sister's child at a specialty clinic or at the admissions desk at the hospital and I call my sister to ask if she knew her child was at the clinic or hospital.  That's a violation of minimum necessary and an unauthorized disclosure of PHI.  I'd appreciate it if you could explain your reasoning as to why Employee Y did not violate HIPAA.

     

    Chris

     

    Chris Apgar, CISSP

     

    CEO & President

    (503) 384-2538 (o)

    (503) 816-8555 (c)

    (503) 384-2539 (f)

    capgar@apgarandassoc.com

    www.apgarandassoc.com

     

    Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response

    apgarlogofinal2014

    The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.

     




    2020 SCCE Membership


  • 7.  RE: HIPAA violation -- family member

    Posted 01-23-2020 01:24 PM
    Always good to see your posts, Chris!

    I have some folks who are studying for some exams looking at this and I've challenged them to come up with ways to show how this is not a violation...which is actually a good exercise given some of the contact from a recent podcast they heard.

    I will circle back on the CHC and CHPC eGroups if you want to take a peek.

    Thanks for asking.

    ------------------------------
    ► We don't fail unless we quit! ◄
    Next Study Session Topic(s) - The eGroups Shall Decide
    --------Frank Ruelas---------
    ------------------------------

    2020 SCCE Membership


  • 8.  RE: HIPAA violation -- family member

    Posted 01-23-2020 01:33 PM
    Just want to be clear on this scenario/question Chris, Are you saying it would be a violation of HIPAA rules if the ER contacted a parent of a minor who had been admitted to an ER?

    ------------------------------
    David Rothery, CHC
    Compliance Officer
    Marin County, CA


    These are my personal opinions and not those of the County of Marin
    ------------------------------

    2020 SCCE Membership


  • 9.  RE: HIPAA violation -- family member

    Posted 01-23-2020 02:41 PM

    David,

     

    Thanks for the question.  No, I'm not saying if the ER contacted the parent that it's a violation of HIPAA.  I was giving more of an example of if an employee saw someone he or she knew in the ER as, say, a registrar, it would not be permissible to contact the parent.  In this context it appears on the face of it that Employee Y contacted the parent because the patient was a half-brother.

     

    Whether or not the ER could contact the parent if a minor was admitted gets rather complicated.  As an example if the minor was of the age of informed consent, no friends and family form or authorization was present and it was not a case of harm to self or others or, say, a severe mental health crisis where the treating provider thought, in his or her professional judgement, he or she needed to contact the parents, it would not be permissible to contact the parents.  Even that gets more complicated because of overlaying state law.  HIPAA states that if state law allows or requires a disclosure, even if the minor at the age of informed consent, parents could be notified.  I appreciate the question because, as with much of compliance, there's a lot of gray out there.

     

    Chris

     

    Chris Apgar, CISSP

     

    CEO & President

    (503) 384-2538 (o)

    (503) 816-8555 (c)

    (503) 384-2539 (f)

    capgar@apgarandassoc.com

    www.apgarandassoc.com

     

    Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response

    apgarlogofinal2014

    The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.

     




    2020 SCCE Membership


  • 10.  RE: HIPAA violation -- family member

    Posted 01-23-2020 07:20 PM
    Thanks for the clarification Chris, much appreciated.

    ------------------------------
    David Rothery, CHC
    Compliance Officer
    Marin County, CA


    These are my personal opinions and not those of the County of Marin
    ------------------------------

    2020 SCCE Membership


  • 11.  RE: HIPAA violation -- family member

    Posted 01-22-2020 09:15 AM
    We had a very similar situation at a hospital where i used to work involving two students. The only difference was it involved parents and stepparents who were in a custody dispute. We determined both students violated HIPAA. The student improperly shared the information with the second student because the second student had no need to know. The second student improperly contacted the minor patient's family members about the admission based on the information s/he improperly received.

    ------------------------------
    Lisa Stallings
    Corporate Responsibility Officer
    CommonSpirit Health
    Houston,TX
    ------------------------------

    2020 SCCE Membership


  • 12.  RE: HIPAA violation -- family member

    Posted 01-22-2020 12:02 PM

    I would say it's an impermissible disclosure on the part of both employees.  Employee X should not have told Employee Y that the minor was Employee Y's half-brother and Employee Y should not have contacted the father.

     

    Chris Apgar, CISSP

     

    CEO & President

    (503) 384-2538 (o)

    (503) 816-8555 (c)

    (503) 384-2539 (f)

    capgar@apgarandassoc.com

    www.apgarandassoc.com

     

    Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response

    apgarlogofinal2014

    The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.

     




    2020 SCCE Membership


  • 13.  RE: HIPAA violation -- family member

    Posted 01-24-2020 12:28 PM
    If Employee X did not initially know that Employee Y was related to the minor, Employee X would have followed protocol for emergency contacts. If the minor didn't name Employee Y as the emergency contact, then Employee X wouldn't have informed Employee Y but would have notified the minor's designated emergency contact. You would assume the minor would have known his half-brother worked at the hospital and if the minor wanted him to know he was there, he would have asked Employee X to notify Employee Y. It appears to me to be a violation by both employees.

    ------------------------------
    Nicole Goodman
    University Compliance Manager/HIPAA Privacy Officer
    Western Washington University
    Bellingham,WA
    ------------------------------

    2020 SCCE Membership