Wiki Need some serious advice for serious issue!

moodyk13

Contributor
Messages
20
Location
Flowery Branch, GA
Best answers
0
During a routine maintenance of computer systems I.T. stumbled upon highly sensitive company communications going on via an employees personal, third party email account. Based on the nature and content of the emails that had popped up on the home screen, I.T. felt they had probable cause/justification to conduct company related searches in this email account such as specific company topics, names, company email addresses, etc. Again, all company related. What they uncovered was emails of HIPPA violations, company reports, recorded phone calls and inappropriate email exchanges between employee and one of the senior management staff.

Problem #1: I.T. conducted the searches based on what they saw when this private email account opened up as the home screen, but didn't report those immediately, rather without further authorization.

Problem #2: The person(s) I.T. would have needed to obtain authorization from were/are participants in the employees emails

Problem #3: There was no "privacy / no expectation of privacy" policy in place at the time of the investigation. One has since been implemented, but anything before that implementation .............

Right now, my position with I.T. has remained I cannot do anything with this information. All I can do is implement the policy and if anything happens here forward then we deal with it then.

Any advice is greatly appreciated
 
It's a little hard to understand what has happened here based on the limited detail you've provided and it's also not clear what kinds of advice you're looking for. I'm interpreting that you feel there has been wrongdoing identified that perhaps hasn't been appropriately addressed by your organization? This sounds like it's probably a pretty complex issue so I'd recommend discussing your concerns with your internal compliance or legal departments where you can speak more freely about the particulars of the case. If your organization doesn't have these, or if you're not comfortable going to them, then you might consider a consultation with a private attorney. As another option, if a HIPAA breach is involved and you feel it might not have been properly disclosed or reported according to regulations, then you may want to contact the Office of Civil Rights which is the enforcement agency. Hope this may help some - unfortunately the coding forum might not be the best place to get advice for difficult legal questions.
 
Last edited:
Hi Thomas, thank you for your reply. I show this is posted in the compliance forum, not the coding forum?

Anyway, I am the compliance officer and I.T. and I think the situation is explained in the first paragraph in the OP.
 
Hello again - you're correct this is the compliance forum, but I meant that since this is under the umbrella of the AAPC, most of the users usually found here are coders with coding-related compliance questions. You might get better input from a discussion forum at an organization specifically dedicated to compliance such as the HCCA.

I did read through your original post again several times, but I'm afraid I'm still at a loss to completely understand the issue - maybe I'm missing something. I'm not sure I know what you mean exactly by "emails of HIPPA violations, company reports, recorded phone calls and inappropriate email exchanges" as that could encompass a wide range of behaviors and content. I'd just say that if you have knowledge that laws were broken or if a breach of PHI occurred during these exchanges, you may still be legally required to report this even if you did not have a policy in place at the time. But if it was simply 'inappropriate' behavior by individuals who were acting in good faith and within their authority and which did not compromise any PHI security or break laws, then addressing it by implementing a policy, educating the individuals and closing the issue might be the appropriate action, but without knowing specifics it's hard to say more. Although I'm not a compliance officer, I think that if I were in your place and confronted with something that sounds as potentially serious as this that I would certainly want to discuss it in confidence with an attorney to support my decision on this. Certainly your organization must have a legal resource for you? The nuances of the laws are complex and the input of someone with a thorough and current knowledge of the regulations and case law would be invaluable.
 
Last edited:
I am a compliance officer and I agree with Thomas. What you have described may potentially violate several laws and, as Thomas mentioned, you may have a legal responsibility to report the violations to the appropriate agency. Given the nature of the violations you outlined, I would advise you discuss this with an attorney - sooner rather than later. As another poster pointed out, you have 60 days from the date of discovery to report a HIPAA breach. Also, there may be other laws that are in violation by what you have described, such as state consent laws when it comes to recording conversations/phone calls. Again, it all depends on the nature of the violations, what information was incorrectly released/shared/recorded, by whom, and to whom. An attorney is going to be best able to advise you on the appropriate steps to take based on the specific details of what you discovered.
 
Thank you all for your responses. I am working on a solution and one day, hopefully, I will be able to share the whole story so as to help anyone else stuck in such a dilemma.
 
Top