Do HIPAA rules apply to family?
Do HIPAA rules apply to family?
Ms. P was a nurse working in the cardiology department of a large hospital. Part of her job was to access patient medical records to review lab values and other diagnostic tests ordered by physicians and writing progress notes in patients' charts.
When Ms. P was hired, she was given a lecture from human resources about the importance of patient confidentiality. Ms. P was required to sign an agreement stating that she would protect patient confidentiality by only seeking or obtaining information regarding a patient, which was required in order to perform her duties. Later, when the Health Insurance Portability and Accountability Act (HIPAA) went into effect, Ms. P was required to go to another human-resources seminar and sign a revised confidentiality agreement.
This agreement stated that she would not access or view information other than what was required to do her job and that she would immediately ask her supervisor for clarification if she had any questions about whether information was required for her job. Finally, the agreement contained a section stating that Ms. P acknowledged that violation of the facility's confidentiality policy could result in disciplinary action up to and including termination.
Ms. P understood the importance of patient confidentiality and would never look in the records of patients that weren't hers — with two exceptions. Ms. P's mother and sister both had serious chronic conditions that frequently resulted in hospital visits over the years.Ms. P's mother had Parkinson disease, was taking numerous medications and was prone to falls. Ms. P's older sister, who lived with her, had Down syndrome. Ms. P would periodically look up her mother's and sister's health records on the hospital computer to get information or to access their treatment plans. She didn't see anything wrong with this — after all, it was her own family.
One of her colleagues, however, had noticed Ms. P looking at the records on more than one occasion, and anonymously reported her. The hospital's HIPAA compliance officer began an investigation, which revealed that Ms. P had accessed her mother's charts on 44 separate occasions and her sister's charts on 28 occasions. When the human-resources director confronted her with the results of the investigation, Ms. P admitted that she had accessed the records, but that they were the records of her family members and therefore she didn't see anything wrong with it.
“Did you need to access information from their medical records in order to fulfill your duties as a clinical affiliate in the cardiology department?” asked the director of human resources. “I did not,” replied Ms. P. “They were not cardiology patients.”
Ms. P was terminated from her employment that day. Angered by the loss of her job, Ms. P sought the advice of an attorney to determine whether she could sue the hospital for wrongful termination. The attorney was skeptical. “HIPAA violations are taken very seriously,” he said. “Did they give you training about patient privacy?”Ms. P admitted that she'd had training. “Were you asked to sign anything after the training?” inquired the attorney.
“Well, yes,” said Ms. P. “I did sign a confidentiality agreement, and the hospital does have a policy that you could lose your job for violating it. But this was my mother and sister! They don't mind that I looked at their records!”“That's irrelevant,” said the attorney. “It doesn't matter if they are family or not. You still didn't have the right to look at the records. I don't think we have a leg to stand on, unless…” the attorney trailed off, thinking.
“How old are you?” he suddenly asked Ms. P.
When she told him, he smiled. “I think we may have an angle in this suit. We can try suing the hospital for age discrimination. We can claim that the privacy violation was merely a pretext to get rid of you—a higher paid, experienced nurse—and replace you with a less expensive junior person.”The attorney filed the papers against the hospital. The hospital's attorney promptly filed a motion to dismiss. The court, after reviewing all the facts, dismissed Ms. P's case.
Legal backgroundPeople who are over 40 years of age can allege age discrimination if it appears that the employer is using another excuse to fire an older employee and replace him or her with someone younger and cheaper. In this case, however, the hospital had a clear policy, in writing, which Ms. P was familiar with and had signed.
In addition, the hospital had a history of terminating employees for HIPAA violations, and more than half of those who were fired were younger than age 40 years at the time. In fact, several of the younger employees were terminated specifically for accessing the medical charts of family members. If an employer has a policy on the books that is being enforced uniformly across all age groups, then a cause of action alleging age discrimination will fail—as it did here.
The HIPAA Privacy Rule provides federal protections regarding the accessing of personal health information. At the same time, the Privacy Rule is balanced, so that it permits the disclosure of personal health information when such data are needed for patient care and other important purposes. Ms. P had no valid reason to be looking at medical records of patients who were not hers.
HIPAA is taken very seriously, and numerous jobs have been lost based on violations of the rule. A hospital or medical practice cannot afford to have violations, as the federal government strictly enforces HIPAA. It is essential to remember that the privacy of a patient—whether it is someone you know or not—is of paramount importance.
Also, pay attention to the policies of your employer. Had Ms. P considered the training she'd had, or the agreement she had signed, she might have realized the dire consequences of looking at unauthorized medical records. Always err on the side of caution.