David J. Goldberg, M.D., J.D., explains how a terminated employee can violate HIPAA if they access medical records of other associates at their former place of work, even if they find out one of those associates had COVID-19 and did not disclose it to the office.
Dr. Derm had been an associate in a large multi-physician dermatology practice for over a decade. Ultimately, he and his other physician associates decided that it is in the best interest of the practice if he leaves the practice. There are no contractile issues of concern. Dr. Derm was to leave as of Jan. 1. He is upset about his termination but simply finishes his days seeing patients and fulfilling his duties.
The dermatology group has a sophisticated electronic medical record (EMR) system. There is full access to all relevant once materials from any computer anywhere in the world. Dr. Derm’s access should have been terminated on Jan. 1 but was not terminated until Feb. 1.
During the month after that, he should not have had access to any medical records. Out of curiosity, Dr. Derm signs into the system and downloads medical records of some of his former associates. He finds out that one of his former associates tested positive for COVID-19 (albeit he was asymptomatic) and continued to work without notifying anybody in the office. Dr. Derm is perplexed as to whether to report his associate to both the state medical board and/or a variety of legal entities. He is not aware that anybody contracted COVID-19 from the associate.
Three months later, his former associates become aware of what Dr. Derm did and wish to sue Dr. Derm for a Health Insurance Portability and Accountability Act (HIPAA) violation. He contends that he did nothing improper. Now he decides to report the former office for potentially exposing patients to COVID-19.
Where does Dr. Derm legally stand? The former associates contend that the medical records are part of a HIPAA-protected environment and information is only available on a need-to-know basis. If Dr. Derm had no official business pertaining to a file (he was no longer a practice associate), then he did not “need to know”. Healthcare professionals must consider HIPAA to be such a protected environment.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, originally passed in 2009, was a regulatory measure introduced in anticipation of the sudden rise in the volume of healthcare practices adopting electronic health records (EHR). Violations of the HITECH regulations can lead to civil or criminal liabilities. The simple explanation for these rules is to understand that the HIPAA Privacy Rules lay down the standards that should be followed to become HIPAA-compliant. But it is the HITECH Act Rules that elaborate on the criticality of following these norms and lay down enforcement, accountability, penalty and persecution-related guidelines for those involved in sharing or accessing personal health information.
The purpose of HITECH is to:
HITECH stipulates that unauthorized access to patient records can lead to jail-time. This has already happened. File snooping out of curiosity is not considered authorized access. There was no “need to know” for Dr. Derm. Accessing records of a neighbor, child’s teacher or friends without authorization can lead to legal difficulties for a physician or any provider within that practice. The COVID-19 information, although certainly a major issue for the practice, is a distraction in this HIPAA-associated case. Dr. Derm is guilty of a HIPAA violation.