My employer is in violation of HIPAA laws daily!

Previous | Next
 rated by 0 users
Latest post 02-13-2012 10:05 PM by Taxagent. 13 replies.
  • 02-13-2012 5:27 PM

    • naranay
      Consumer
    • Not Ranked
    • Joined on 02-13-2012
    • CA
    • Posts 4

    My employer is in violation of HIPAA laws daily!

    Hi,

    I have been working for a health clinic for over 5 years now. I have been concerned about the fact that the case workers and therapist are taking work home and completing patient notes from home or any other place outside of work. It is "against our policy" to do such a thing however the powers that be "pretend" they don't know this is going on when in fact I have brought it to their attention several times.

    Recently, I read about the penalties involved if HIPAA is violated. I wanted to know if someone could tell me if I could sue for these vilations? What are the proper steps? Who should I contact?

    I already contacted HR about this problem 2 years ago and still, nothing has changed.

    Thank you for your help.

  • 02-13-2012 5:31 PM In reply to

    Re: My employer is in violation of HIPAA laws daily!

    I wouldn't know whether HIPAA regs prohibit such workers from taking stuff home with them to work on and I presume you've actually read something on the topic vs. just presumed (though your question makes it seem as though you haven't done any research).

    Even a patient wouldn't have standing to sue the employer for violations (though willful dissemination of medical info with intent to injure would presumably be actionable).

    Howsabout filing a complaint with the DHHS -- which if you've done any googling on the issue of HIPAA violations you'd see is the sole general remedy?

  • 02-13-2012 5:41 PM In reply to

    Re: My employer is in violation of HIPAA laws daily!

    naranay:
    I wanted to know if someone could tell me if I could sue for these vilations?

    No, HIPAA does not provide for civil penalties and even then it isn't YOUR chart.  If there was a suit possibility only those patients affected could sue and they would have to have damages from the violation.

    naranay:
    I already contacted HR about this problem 2 years ago and still, nothing has changed.

    That is because it is NOT a HIPAA violation.  HIPAA prevents the unauthorized DISCLOSURE of protected health information.  The providers taking home charts to continue work are providing necessary care.  They are allowed to review the records in order to provide that care.  Unless you have proof that while in their custody these providers are disclosing the information to others who are not authorized to know these patient's information then there is no violation.

    naranay:
    It is "against our policy" to do such a thing

    Policy is not law and as long as the powers that be are okay and ensure that the information is ONLY being used for work related reasons then you have no dog in this fight.  

    For what it is worth MOST if not all providers work on charts from home. There simply is NOT enough time in the day to do it from the office location.  They either take a hard chart home or remote access electronic records.  If you expect every provider to stay in the office until finished then NO ONE is going to remain in health care.  Few if any providers want to spend 20+ hours per day in the office and away from family.  

    "That's just my opinion, then again I might be wrong."  Dennis Miller

     

  • 02-13-2012 5:50 PM In reply to

    • Kivi
      Consumer
    • Top 25 Contributor
    • Joined on 01-01-2005
    • CA
    • Posts 6,085

    Re: My employer is in violation of HIPAA laws daily!

    I don't know that taking protected health info home would be an  automatic violation, unless the employee lost the info in a manner that suggested carelessness. There are many kinds of health providers who do travel to see patients at homes, etc. and who probably have a requirement to make notes of their observations, etc. during the course of their visits. Visiting nurses and public health nurses come to mind, but there probably are others. Even doctors may see patients in nursing homes because they are unable to come to a physician's office. The best practice probably is to make the notes as soon as possible when the info is likely to be fresh versus waiting until someone is back in the office. These days, I would not be surprised if such employees carried laptops. Of course, good policy would dictate that such devices would be, at a minimum password protected, etc. and there could be something in HIPAA that addresses that particular issue. But on its face, absent other info, I doubt that you have an automatic HIPAA violation. There would have to be a bit more going on than what you have provided.

    Now, the employer could well have a policy that such info should remain in the office because of concerns about its loss when the info is not under its direct control or because the employer does not want to go to the expense of furnishing the case worker with a laptop, etc.  Those are all legitimate concerns and ones that a health clinic undoubtedly should address.  But, lax enforcement of a particular employer policy is not the same as a HIPAA violation.

  • 02-13-2012 5:52 PM In reply to

    Re: My employer is in violation of HIPAA laws daily!

    naranay:
    I have brought it to their attention several times.

    Kiss of death.

    Keep nudging your employers about something that isn't illegal and that they don't mind, is a good way to get yourself fired.

     

    • The right of the people 
    • to keep and bear arms,
    • shall not be infringed.
  • 02-13-2012 6:07 PM In reply to

    • naranay
      Consumer
    • Not Ranked
    • Joined on 02-13-2012
    • CA
    • Posts 4

    Re: My employer is in violation of HIPAA laws daily!

    As I stated in my intial post, it is against company policy to do such things. Also I did READ what it is, I'm not sure if you missed the part where I said I've been working for them over 5 years now so yes I know what I am talking about. However, I am not an attorney so I was asking because thats what people do when they have a question.

    It is AGAINST THE law to compromise patient information, whether intentional or unintentional. If a therapist is wrinting notes from his/her home and that note displays the patients name birthdate, and social security numbers it is absolutely in direct violation of the HIPAA ACT of 1996 Nobody knows who is at the staff's home while they have the patients information. I did the research, however I did not see whether a law suit could be filed which is why I'm ASKING. How about if you don't know something and someone ask a question you DON'T ANSWER IT?? It sounds like you did a lot less research than I did on the subject and your the one who called yourself answering the question.

     I just wanted to be pointed in the right direction. If all you have are assumptions I would appreciate it if you didn't respond. I need answers. I think the assumptions board is in another location.

    Thanks Have a great day! 

  • 02-13-2012 6:21 PM In reply to

    • naranay
      Consumer
    • Not Ranked
    • Joined on 02-13-2012
    • CA
    • Posts 4

    Re: My employer is in violation of HIPAA laws daily!

    The reason I am even bringing this up is because my coworker (a therapist) had her labtop up in plain view while we were at lunch in a busy restaurant.

    I read that you could be fined even if you were unaware that you were violating the law. In the LAW it says that healthcare providers can't even say a patients name outloud. We are not allowed to send emails with patient names. So it doesn't seem "lawful" to be able to take patients personal information home or to resturants because we do not know who will be able to view them.  

    I do not expect healthcare providers to finish their entire caseloads in 8 hours but I didn't make the law. I do want to follow it or at least not be implicated at all when the crap hits the fan and the clinic I work for has to pay heavy fines and might even close. Thanks again.

  • 02-13-2012 6:27 PM In reply to

    • naranay
      Consumer
    • Not Ranked
    • Joined on 02-13-2012
    • CA
    • Posts 4

    Re: My employer is in violation of HIPAA laws daily!

    adjuster jack:

    naranay:
    I have brought it to their attention several times.

    Kiss of death.

    Keep nudging your employers about something that isn't illegal and that they don't mind, is a good way to get yourself fired.

     

    Yeah you are right adjuster Jack! We should NEVER EVER question corporations and their shady practices. Just be a good SLAVE put your head down and do as we are told. Yes. What was I thinking, reading the employee handbook which STRICKLY prohibits the behavior! And never mind that it's against FEDERAL LAW. Your right. Thanks for your input.

     Oh and by the way, if my employer fires me because I'm bringing UNLAWFUL behavior to their attention thats called retailiation and yes there is a PESKY LAW against that too.

  • 02-13-2012 6:39 PM In reply to

    • DPH
      Consumer
    • Top 10 Contributor
    • Joined on 10-08-2001
    • TX
    • Posts 7,475

    Re: My employer is in violation of HIPAA laws daily!

    naranay:
    I do not expect healthcare providers to finish their entire caseloads in 8 hours but I didn't make the law.

    It is also not up to you to intepret the law.  Go ahead and report what you believe to be violations to the proper authority and let the chips fall where they may.  Either that or move on and forget about it.  Since nothing happened when you reported it 2 years ago, your only option is to try again or move on.

    naranay:
    I do want to follow it or at least not be implicated at all when the crap hits the fan and the clinic I work for has to pay heavy fines and might even close.

    Again, not really your concern.  If you are worried that something will happen, then start looking for a new job and report it when you find it.  If you aren't doing "it", why would you be implicated?

    Personally I believe that you are reading too much in to the employees taking this information home to work on it.  Nowhere do you indicate that they are disclosing this information to anybody for any purposes other than getting their work done in a timely fashion.   

    "Never argue with stupid people, they will drag you down to their level and then beat you with experience."  -  Mark Twain

     

  • 02-13-2012 6:41 PM In reply to

    Re: My employer is in violation of HIPAA laws daily!

    naranay:
    In the LAW it says that healthcare providers can't even say a patients name outloud.

    No, it doesn't.  If it did how would a medical assistant call a patient to an exam room?  How would the providers talk to the patients?  Clearly you do not understand HIPAA.  While there can be consequences for violating it even if unaware, the consequences are based upon the seriousness of the breach and the intent.  

    naranay:
    I do want to follow it or at least not be implicated at all when the crap hits the fan and the clinic I work for has to pay heavy fines and might even close.

    I have been in healthcare for 25+ years and I think you are WAY over reacting.  However, I can tell you that unless YOU are doing these things you won't be implicated at all.  Odds on them closing over this:  zero.  At best if you file a complaint with DHS I predict they would get a warning from DHS noting that they need to ensure that patient information is protected.  Feel free to file a complaint.  It is anonymous and they will investigate all complaints.  What you cannot do is sue.

    FYI:  A MAJOR hospital chain in California self reported actual chart violations of several celebrities by employees NOT involved in the patient's care.  They were hit with a $250,000 fine but not forced to close.  Fines for violations are based upon the intent and seriousness of the violation.  That is why I predict at best your employer would get a warning or perhaps censure.  Business closing fines?  Doubtful.

    If the care providers are not INTENT on releasing patient information then you are really making a mountain out of a molehill.  Also, how many unauthorized disclosures have occured in your five year tenure there?  If no patient or person has come in stating "I got a hold of this information and it isn't mine" then there probably isn't a security issue.  As to family at home getting the information:  all my family do is complain and moan that I bring work home.  They don't care to read it and I don't run cases by them.  Neither do most upstanding professionals. 

    "That's just my opinion, then again I might be wrong."  Dennis Miller

     

  • 02-13-2012 7:37 PM In reply to

    • Kivi
      Consumer
    • Top 25 Contributor
    • Joined on 01-01-2005
    • CA
    • Posts 6,085

    Re: My employer is in violation of HIPAA laws daily!

    I used to work for a Federal agency (not the IRS), where I had access to all sorts of very private and sensitive information including SSN, dates of birth, etc. I could do print screen that would include your name, SSN, DOB, address and a list of the diagnostic codes for your case. It's hard to get much more sensitive than that. If I want to do so, I could click on the diagnostic codes and get a very abreviated explanation of the medical conditions in question. We were not covered by HIPAA, but we were covered by the Privacy Act of 1974, which does give an individual the right to bring suit in Federal court for Privacy violations.

    I also telecommuted two days a week before I retired. My spouse retired a year or two before I did. There almost certainly were times when I was working remotely that he came into the room to speak with me. He could clearly see the info on the computer screen had he chosen to look at it. (He had no interest in what I did, so he never really bothered. My family is like Clyde'sMom family.) Remote access did require both a very tough password and an 8 digit PIN. These had to be changed every 90 days.

    Did I work remotely from a Starbucks or similar place? No, too risky IMHO. Also, because I worked remotely, I never printed documents at home. I saved them to a special spot on the server at work and printed them at work when needed.

    For the sake of argument, let's assume that I and my spouse are dishonest people.Believe me, I had access to a lot of info. Let's say that I complied it and had my spouse or, even better, a BF whose relationship to me might be a bit less obvious, sell it to someone on the street. How long do you think it would taken for the authorities to figure out where the breach came from and how long do you think it would have taken them to figure out that I was involved? It would have taken a little bit of time, but probably not a lot of time. (I am guessing maybe six months to a year.) 

    Most working people value their employment and they value their freedom. I certainly would not have risked a job with benefits that paid me close to 100k a year for some quick bucks. I certainly had no interest in going to prison.The risk of someone suing me in prison would have been way down on my list of worries.

    Most people in the health care field spend a lot of time getting their education and certifications. Obviously, some are more highly compensated than others.  Are they really going to throw that away for few quick bucks on the street? I would submit that most probably would not. Some might. There are dishonest employees in all agencies and there undoubtedly are some in health care clinics as well. But, you still are left with figuring out how to do it without getting caught.

    Yes, clinics need to be concerned about these issues. But, as long as the employees in question are taking reasonable precautions with respect to their data, they are probably in compliance with HIPAA as I was with the Privacy Act. There is nothing in either law that says data much remain within the confines of the agency's or clinic's walls. The statutes require care in the handling of such data. Some places may choose to make that kind of restriction. But, neither law requires it.

  • 02-13-2012 9:05 PM In reply to

    • Drew
      Consumer
    • Top 10 Contributor
    • Joined on 03-30-2000
    • PA
    • Posts 49,345

    Re: My employer is in violation of HIPAA laws daily!

    I am sure many an employee would be quite happy to have a rigid rule that no work shall leave the premises by any means -electronic, memory stick or anything--saves doing lots of unpaid work --and I know folks who work is such an environment--nothing comes in or goes out --place operates with extreme security --but that is not what you describe.

    If you want to get assigned to the Siberian substation--just yap off at work about security breeches--put it into print and circulate it around to all levels of management and see how long you last.

    I think our society is at far far greater risk from those who hide behind self created  rules  that frustrate  transpancy of the acts of our elected officials and public employees.

    .



  • 02-13-2012 9:39 PM In reply to

    • cbg
      Consumer
    • Top 25 Contributor
    • Joined on 12-21-2000
    • MA
    • Posts 6,815

    Re: My employer is in violation of HIPAA laws daily!

    I don't work for the health care industry but I do work with confidential information, some of which is protected under HIPAA. I rarely take work home unless there is bad weather that might preclude my coming in (in which case taking work home is employer-sanctioned) but you know what? The information I have with me is LESS likely to be compromised when I have it at home than it is at work. We have multiple non-employees who are in the office on a daily basis; at home there is only my husband, who is in his home office working on his own confidential information. I use the same computer and the same passwords whether I'm at home or in the office.

    I really don't think you understand HIPAA.

  • 02-13-2012 10:05 PM In reply to

    Re: My employer is in violation of HIPAA laws daily!

    naranay:
    It is AGAINST THE law to compromise patient information, whether intentional or unintentional.

    No, it's not. It is illegal to make an unauthorized DISCLOSURE of health information. That's the key word. A health care worker can take records home to work on them and that by itself won't violate HIPAA. If the health care worker failes to take adequate steps to safeguard that information and an unauthorized disclosure results, that will result in a violation of HIPAA. Thus, employees taking such information out of the office need to take care that they secure the information so that an unauthorized disclosure does not occur. Employers who permit employees to take records home are well advised to set standards for what employees must do to safeguard the health information he or she has in his/her possession. But it is certainly not automatically illegal for employees to take the records home. It is only a problem if an actual illegal disclosure occurs.

    naranay:
    Nobody knows who is at the staff's home while they have the patients information.

    Presumably the employee knows who is in his/her home and can adequately safeguard the information so that those folks do not have access to it.

    naranay:
    I did the research, however I did not see whether a law suit could be filed which is why I'm ASKING.

    The HIPAA statute does not itself provide a civil remedy for violations of the Act. The sole remedy for a HIPAA violation is to make a complaint with the U.S. Department of Health and Human Services (HHS), which is the federal agency charged with enforcing HIPAA.

    A negligent disclosure of information may result in a civil lawsuit if the negligence resulted in financial damages to the patient. This would be under state tort law, not HIPAA, and is a risk that the healthcare provider would have even if HIPAA had never been enacted. HIPAA does, however, affect how one might argue that the healthcare provided was negligent. Even if there was negligence, though, without ACTUAL financial loss from the disclosure there is nothing for which to sue.

    naranay:
    Oh and by the way, if my employer fires me because I'm bringing UNLAWFUL behavior to their attention thats called retailiation and yes there is a PESKY LAW against that too.

    No, that's not illegal retaliation, and that's important for employees to understand. With a couple of important exceptions, complaining to your employer about wrongful activity is not protected. Complaining to a government agency about it, on the other hand, often is protected. Thus, if you make a pain in the butt of yourself to your employer by repeatedly complaining about this and get fired, you may find you have no wrongful termination case against the employer for it. If you are really concerned that actual illegal disclosure is taking place then file a complaint with HHS. But again, simply taking the records home is a not a violation. Unless an actual unauthorized disclosure takes place, there is no violation of HIPAA.

    I used to work for IRS and had access to taxpayer data. The rules for disclosure of tax return information are some of the strictest in federal law. The IRS nevertheless allowed (and even encouraged) employees to work from home. The IRS does, however, take a number of steps to ensure that taxpayer information is properly safeguarded while the employee works from home. These included laptops that were encrypted and password protected, use of a virtual private network (VPN) for e-mails, etc., and the requirement that the employee have a locked room or file cabinent to secure the information when the employee wasn't there. I think that's a good model for employers in the healthcare field to follow – if they allow the employees to take the records from the office, have a policy in place for how that information must be safeguarded to ensure compliance with HIPAA and avoid negligence that might result in a civil lawsuit for damages under tort law.

    You're right that if your employer doesn't enforce its rule against taking the information out of the office and doesn't have a policy that spells out what employees must do to safeguard the information they do take out that the employer runs a risk that an employee will do something stupid or careless and a HIPAA violation may result. You've alerted the employer to the risk. There really isn't much more you can do. Repeatedly carping to the employer about it isn't likely to change the current practice; about all it will do is put you on the employer's short list of people it may want to get rid of. So long as you safeguard the information you have, you should be fine. I'd let the rest go at this point if I were you, assuming you want to keep your job.

Page 1 of 1 (14 items) | RSS

My Community

Community Membership New Users: Search Community