HIPAA makes employers pay cost of employee curiosity

Beau Patterson, a business and health law attorney with McAfee & Taft, discusses HIPAA obligations coming soon for non-health care employers.
by Paula Burkes Published: July 31, 2013
Advertisement

Q&A with Beau Patterson

HIPAA makes employers pay costs

for curiosity of its employees

Q: Cedars-Sinai Medical Center in Los Angeles made news earlier this month when it terminated several employees in response to a privacy breach involving the medical information of celebrity Kim Kardashian. The breach occurred when six hospital employees, who were not involved in Ms. Kardashian's care, accessed her medical file seeking information about her recent pregnancy and delivery. The information was not shared outside of the hospital, and the employees appeared to be motivated only by a desire for information about their favorite television personality. Did the hospital do the right thing?

A: Yes. The Health Insurance Portability and Accountability Act (HIPAA) imposes obligations on health care providers and related covered entities to protect and secure a person's health information. This not only means preventing outside disclosures of protected health information, but also limiting access within the organization to persons who need to know for treatment, payment or health care operation purposes. HIPAA requires a swift and thorough response when a breach is discovered, which can include imposing disciplinary penalties up to termination for employees who violate the law, and undertaking expensive training and corrective measures to guard against future problems. The federal government can impose significant fines when a covered entity fails to safeguard protected health information or to respond appropriately to a breach. Criminal penalties are a possibility. In 2011, the UCLA Health System paid nearly $1 million to federal regulators to settle claims of HIPAA privacy breaches engaged in by certain members of its administrative and medical staff. In one case, a physician in the system received a four-month prison sentence for impermissibly accessing the medical records of former Gov. Arnold Schwarzenegger.

Q: Do HIPAA's obligations apply to non-health care providers?

A: Yes. Beginning Sept. 23, federal rules will go into effect imposing many of HIPAA's privacy and security obligations (as well as corresponding penalties) on third-party businesses that perform services for — and receive protected health information from — covered entities (“business associates”). For example, a law firm representing a nursing home in litigation is a business associate if it receives protected health information during the course of its representation. Likewise, a business consulting firm that receives and analyzes protected health information as part of its effort to assist a health care provider in improving operational efficiency would be a business associate. Businesses shouldn't assume that, because they are seemingly not involved in the health care industry, they are necessarily outside of the reach of HIPAA.

Continue reading this story on the...

by Paula Burkes
Reporter
A 1981 journalism graduate of Oklahoma State University, Paula Burkes has more than 30 years experience writing and editing award-winning material for newspapers and healthcare, educational and telecommunications institutions in Tulsa, Oklahoma...
+ show more


Trending Now


AROUND THE WEB

  1. 1
    The New Yorker feature: Inside the Ebola Wars
  2. 2
    College Football Halftime Show Rocks The Stadium Like A Hurricane
  3. 3
    Michele Bachmann given security detail over ISIL threat
  4. 4
    Study: Vegetarians have much lower sperm counts
  5. 5
    Oil CEO Dies in a Moscow Plane Crash
+ show more