Health Information Compliance Alert
To Report or Not to Report a Colleague's Privacy Breach
PDF
Here's what to consider if you encounter this dilemma. Question: What should an employee of a healthcare practice or facility do if the person observes another employee of equal status looking at a paper medical record that he or she has no business reading? We've had a debate about that among the nurses in our office and opinions are mixed. Answer: "Whether the employee has an obligation to report the other employee to the organization's management depends on whether the organization's policies/procedures require an employee to do so in that instance," says attorney Michael Roach, with Meade & Roach, in Chicago, Ill. "I'm not aware of anything under HIPAA that would directly require an employee to report another employee," he says. "However, given the Breach Notification Rules, there is a very good chance that the organization has some requirement for reporting breaches such as this to the organization," Roach cautions. "That is because under those Rules the organization is deemed to have knowledge of the breach as soon as an employee has knowledge. And if the breach must be reported to the individual, then the organization has to notify the individual whose PHI was breached within a set time period." Bottom line: "The employee who observed the breach should check the organization's policies and procedures on breaches of PHI very carefully to see if she has a duty to report under those," he counsels. "Clearly, the person who looked at the record inappropriately could get fired for that action, depending on how the organization's policies are written," Roach continues. For example, the policies "could provideleeway for retraining and discipline." Whether the person who observed the breach could be fired or disciplined for not reporting it would depend on the organization's policies, Roach says. (That's assuming that the person didn't also look at the record herself, he adds.) Another consideration: "If the employee who observed the breach is a licensed healthcare professional, there could be a state reg or law -- or a rule of the governing board, such as the board of nursing, etc. -- requiring the person to report wrongdoing," Roach cautions. In other words, "whether the employee has an obligation to report requires the person to do some digging in the possible rules that could apply." "That being said, whether the person has a moral obligation to report is [a different matter] and not one I'm going to address," Roach concludes.
Health Information Compliance Alert
- Risk Management:
Don't Be Toppled by Giant Fines: Perform a Topnotch HIPAA Security Risk Analysis
Beware: The willful neglect category of violations goes into effect on Feb. 17. If you've [...] - Electronic Health Records:
Avoid These EHR Coding Pitfalls -- And Collect Your Share of the $44,000 Per-Physician Federal Incentive Bonus
If your EHR is prompting you to check one more exam area so you can [...] - Disaster Preparation:
Don't Let Disasters Sink Your Data-Driven Operations
2 broad-stroke efforts protect your electronic and paper medical records. As nursing home providers in [...] - Diagnosis Coding:
Most Practices 'Surprised' By How All-Encompassing ICD-10 Transition Has Been
Best bet: Establish your initial plan for conversion immediately so you can project your practice's [...] - Industry Notes
Before you next hit send, read this. A former Geisinger Health System gastroenterologist emailed himself [...] - Reader Question:
To Report or Not to Report a Colleague's Privacy Breach
Here's what to consider if you encounter this dilemma. Question: What should an employee of [...]