Here is the situation. I work in a hospital, a very large hospital. I went to Payroll a few weeks ago to pick up my paycheck and my co-worker asked me if I would pick up hers too. I said I would and she wrote me a note giving me permission to do this.
When I got there, I got my check and then presented the note for my co-workers check. The lady at payroll read the note and then looked on the back and began to admonish me because the note was written on the back on some type of patient form, with a patients name on it. The lady said that this was a clear HIPAA violation and broke many patient confidentiality rules. I can kind of see that, but I think she over reacted. She said she would over look this, but if it happened again, she would notify the “proper people”. LOL.
I was under the impression that the object of patient confidentiality was to prevent people from outside the institution from knowing patient details, etc…not from someone who actually works in the hospital.
Was this a breach of patient confidentiality/HIPAA?
I work wit HIPPA data and just passes a certification exam a few weeks ago. I think it is clear that this was a HIPAA violation and a fairly serious one at that. An institution can’t let data protected by law to be used as scratch paper. There are all kinds of terms that are associated with HIPAA to tell what uses are justified. However, in the workplace, it can be summarized as a “need to know basis” and that fails here.
I work in a large hospital, too, albeit in an off-campus office. When we took the HIPAA compliance classes, we were told that is was our duty to report HIPAA violations to our immediate supervisor no matter how small the violation was.
Consider yourself lucky the payroll person didn’t turn you in.
Fines for violations can be very steep. It is very unlikely that the payroll person has anything to do with the patient’s care (which includes their bill, etc) and, therefore, should not be privy to such information.
I volunteer at a local hospital and that is INDEED a HIPAA violation. Anything involving patient names, even just a list of appointments, is to be discarded into special color-coded bins to be shredded. Even innocent discussion of patients between doctors in the halls or elevators can be considered a violation.
They take HIPAA very seriously, and no, the woman in question definitely did not overreact.
I was the HIPAA officer at my last job. Yes, this was a violation. Yes, this was serious.
As a biller I cannot leave my desk with papers face-up. I cannot leave my computer screen with an open application. I have to lock my filing cabinet, and I have to lock my office when I am not in it. I have to have a password on all my applications, and one on my computer itself. My office is only accessible to other staff, but I still have to do this per HIPAA. HIPAA is too extenisve to quote chapter and verse, but I am required to keep my files off-limits to anyone but staff who need the information to do their job. Likewise, our charts can only be accessed by staff that need the information contained to do their job. So, no, HIPAA is not just for keeping “outsiders” away from PHI.
If the paper that contains PHI is no longer needed, it’s supposed to be shredded, or kept in a lock container until your document destruction contractor picks it up. So the fact that the piece of paper was even lying around is a couple of violations alone.
Good for your employer for making sure even none-clinical staff are instructed on HIPAA.
Yep, as another HIPPA trainee, this was pretty serious. It’s more your co-worker’s fault than yours, though. Jeez, paper is cheap. What’s wrong with grabbing a nice, clean white piece of paper for that note? Leave the recycling and reclamation to the shredding folks. That’s their job.
When I was a kid my family lived in a two-story house and my mom liked to stack the clean laundry on the stairs to take up later. One day my dad got home and said “Osha would never do a thing like that”, making OSHA sound like another woman to pique my mother’s jealousy. After my dad irritated my mother even more by laughing at her reaction, he explained what OSHA was and mentioned being “OSHA’s slave” at work. I now go around saying that I’m “HIPPA’s bitch” in homage to my father.
Yeah I’d have to say violation. Beyond the fact that she didn’t “need to know” that patients information (and how much good is a privacy policy going to be in large a hospital if anyone on staff can get access to anyone’s information?) there’s the matter of how it’s disposed of. Anything like that would be “sensitive trash” (band name!) and desposed of according to the guideline (shredded). But if you use it as scrap paper and she hadden’t noticed it it most likely wouldn’t have been.
I would like to ask the OP why he/she thought this was unjustified given that the OP works in a hospital. The hospital must not run a very effective training program and that type of thing is required by federal law. HIPAA isn’t just to protect data from the “outsiders”. All of the employees have lives outside the hospital too and many have overactive tongues or malicious reasons to share what they know. If that type of thing goes on long enough, it is virtually certain that someone who has no business looking at a certain piece of information will find out something sensitive about someone he or she knows or knows of. That can be life altering for someone and it shouldn’t be taken lightly. The information could contain references to anything from abortion, to Bipolar disorder to cancer. Even seemingly innocent information like patient lists tell a whole lot when matched up by their doctor’s specialty.
So OP, what was the thought process that made you think otherwise?
Another hospital worker here, and yep, violation. You got off easy. Make sure to check next time!
It makes sense; if that second person wouldn’t have seen the other side, it could have been tossed out as regular trash and found by someone outside the hospital. Or, and I know this is a statistical near impossibility but that near is why we have this stuff, she could have been related to the patient on the record, or known them, and that information could have been leaked. Lots of reasons why it’s against the rules. All of them good ones, IMO.
I had to go through like a two hour seminar on this so I am pretty hardcore about my HIPAA-enforcing skillz.
Let’s join in an say “Violation.” Very obvious violation, to me.
It would not be logical (even without the existence of HIPAA) to assume that every hospital employee should have access to every patient’s medical information. Certainly the cooks, janitors, IT people, administrative staff, etc., do not need to know what Joe Smith is there for. Nurses and doctors in unrelated departments most likely will have no need to know either. The Payroll lady definitely doesn’t need to know.
But hold on here. What was the nature of the form? If it was just a boilerplate form that contained nothing more than a patient’s name, is that in and of itself a HIPAA violation? I think we need more details here.
Yes. Because it confirms a person is a patient at that particular hospital, or receiving medical care in general. Could lead to problems if that got out, especially if the person is a patient at an abortion clinic or psychiatric clinic.
Fair enough, though the OP says he/she works at very large hospital. Let’s suppose this is nothing more than a photocopied form acknowledging receipt of the hospital’s confidentiality policy and containing nothing more than the patient’s name. In that case, is this still a “serious” violation… or even a violation at all? And if so, has anybody ever been fined or taken to court for a violation like that?
I do feel that we need more info from the OP before we can pronounce on how serious this is.
That’s from a very large hospital organization’s training book.
Basically, unless your contact (employee, boss, MD, janitor, friend, relative, or guy off the street) Needs To Know, they cannot be told anything about any given patient.
HIPAA is a huge pain in the ass to hosptals, but it is not only respected, but downright feared by all of them. Erring is always on the side on caution.
Ha! You think that’s a violation? The doctor I worked for (until Monday) recently left a foot-tall stack of charts in a window seat in a corridor of our medical office building/hospital complex. Some administrator brought them to the office, having found them there unattended. When she got back she said “I just put them there while I went to get some breakfast.” She didn’t see what the fuss was about. These were complete patient charts, containing (besides medical information) patients’ names, addresses, social security numbers and dates of birth. For probably 25 patients. An identity thief’s dream.