I work at a diangnostic clinic. We are not allowed to discuss patient information with other employees but when a test result came in for an ex employee many of the office personel were talking about this ex employees/patients test results. This ex employee/patient is a friend of mine so I called her and informed her that her patient privacy was being violated at the office. My employer found out that I informed this ex-ployee/patient that her privacy rights were violated and now I am being reprimanded and possibly having legal action taken against me. Was I breaking hipaa law by informing the ex-employee/patient that her privacy rights were broken at my office? Please advise as my employer has cantacted his attorney.
1 Answer from Attorneys
Re: hipaa law
I don't think that under HIPAA what you did constituted a "disclosure" because you were not revealing confidential health information, you were disclosing your company's wrongful conduct.
Having said that, if your employer were to argue that this is a disclosure and violation under HIPAA, I think that would be a weak argument because the patient has a right to his/her own health information under HIPAA itself.
HIPAA also has a "whistle blower" section. However, I don't think that you really complied with that part becuse your disclosure was not to the secretary of HHS or to your attorney, your communications were with the patient herself.
The HIPAA whistleblower section only applies if your had gone to the authorities at DHSS or were simply communicating facts to a lawyer.
"(j) Standard: disclosures by whistleblowers and workforce member crime victims.
(1) Disclosures by whistleblowers. A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce or a business associate discloses protected health information, provided that:
(i) The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or
(B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section.
So, this probably doesn't apply.
Your employer's big issue may be that the so called "incidental" discussions around the office are not protected by HIPAA; and that you violated a duty to your employer by disclosing information about the employer and it's activities.
Your boss is probably going to want to know why you didn't come to them first. Did you go to your bosses directly with the information re the HIPAA violations?