It is AGAINST THE law to compromise patient information, whether intentional or unintentional.
No, it's not. It is illegal to make an unauthorized DISCLOSURE of health information. That's the key word. A health care worker can take records home to work on them and that by itself won't violate HIPAA. If the health care worker failes to take adequate steps to safeguard that information and an unauthorized disclosure results, that will result in a violation of HIPAA. Thus, employees taking such information out of the office need to take care that they secure the information so that an unauthorized disclosure does not occur. Employers who permit employees to take records home are well advised to set standards for what employees must do to safeguard the health information he or she has in his/her possession. But it is certainly not automatically illegal for employees to take the records home. It is only a problem if an actual illegal disclosure occurs.
Nobody knows who is at the staff's home while they have the patients information.
Presumably the employee knows who is in his/her home and can adequately safeguard the information so that those folks do not have access to it.
I did the research, however I did not see whether a law suit could be filed which is why I'm ASKING.
The HIPAA statute does not itself provide a civil remedy for violations of the Act. The sole remedy for a HIPAA violation is to make a complaint with the U.S. Department of Health and Human Services (HHS), which is the federal agency charged with enforcing HIPAA.
A negligent disclosure of information may result in a civil lawsuit if the negligence resulted in financial damages to the patient. This would be under state tort law, not HIPAA, and is a risk that the healthcare provider would have even if HIPAA had never been enacted. HIPAA does, however, affect how one might argue that the healthcare provided was negligent. Even if there was negligence, though, without ACTUAL financial loss from the disclosure there is nothing for which to sue.
Oh and by the way, if my employer fires me because I'm bringing UNLAWFUL
behavior to their attention thats called retailiation and yes there is a
PESKY LAW against that too.
No, that's not illegal retaliation, and that's important for employees to understand. With a couple of important exceptions, complaining to your employer about wrongful activity is not protected. Complaining to a government agency about it, on the other hand, often is protected. Thus, if you make a pain in the butt of yourself to your employer by repeatedly complaining about this and get fired, you may find you have no wrongful termination case against the employer for it. If you are really concerned that actual illegal disclosure is taking place then file a complaint with HHS. But again, simply taking the records home is a not a violation. Unless an actual unauthorized disclosure takes place, there is no violation of HIPAA.
I used to work for IRS and had access to taxpayer data. The rules for disclosure of tax return information are some of the strictest in federal law. The IRS nevertheless allowed (and even encouraged) employees to work from home. The IRS does, however, take a number of steps to ensure that taxpayer information is properly safeguarded while the employee works from home. These included laptops that were encrypted and password protected, use of a virtual private network (VPN) for e-mails, etc., and the requirement that the employee have a locked room or file cabinent to secure the information when the employee wasn't there. I think that's a good model for employers in the healthcare field to follow – if they allow the employees to take the records from the office, have a policy in place for how that information must be safeguarded to ensure compliance with HIPAA and avoid negligence that might result in a civil lawsuit for damages under tort law.
You're right that if your employer doesn't enforce its rule against taking the information out of the office and doesn't have a policy that spells out what employees must do to safeguard the information they do take out that the employer runs a risk that an employee will do something stupid or careless and a HIPAA violation may result. You've alerted the employer to the risk. There really isn't much more you can do. Repeatedly carping to the employer about it isn't likely to change the current practice; about all it will do is put you on the employer's short list of people it may want to get rid of. So long as you safeguard the information you have, you should be fine. I'd let the rest go at this point if I were you, assuming you want to keep your job.