September 18, 2014

QUESTION:    How should we handle potential HIPAA violations by medical staff members? It seems the Privacy Officer should be involved, given that person’s expertise and responsibility for privacy generally. At the same time, HIPAA violations often involve behavioral concerns that the medical staff leadership may want to address.

ANSWER:    There are good reasons for involving a hospital’s Privacy Officer in the review of HIPAA violations by medical staff members. First, HIPAA states “[a] covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.” 45 C.F.R. §164.530(a)(1)(i). Since the hospital’s Privacy Officer is responsible for “implement[ing]” the HIPAA policies of the hospital, the Privacy Officer should be involved in addressing privacy violations by medical staff members.

Also, Privacy Officers have significant experience investigating and responding to privacy violations. They will be familiar with HIPAA’s dense regulatory requirements and know how to find information that shows if health information was improperly accessed.

At the same time, there are good reasons for using the medical staff process to review HIPAA complaints involving physicians:

  • Physicians may be more likely to listen to other physicians.
  • Hospital licensing regulations generally require the medical staff to review the actions of its members.
  • The medical staff process is protected by a statutory peer review privilege, which may help to prevent the records of a HIPAA investigation from being used in a lawsuit by a disgruntled patient.
  • Violations of HIPAA (or any regulation) often include a behavioral component that will be of interest to the medical staff leadership.

Thus, a hybrid process seems ideally suited for reviewing HIPAA violations by medical staff members. Such a hybrid process could use the review process identified in the medical staff Professionalism Policy, but with the HIPAA Privacy Officer closely involved in the review. The Professionalism Policy and the document that describes the composition of the committee that reviews behavioral concerns (e.g., the Leadership Council) should specifically state that other hospital personnel (such as the Privacy Officer) may be involved in the review of behavioral matters.

It’s also important to define expectations for medical staff members. The medical staff Professionalism Policy should define “inappropriate conduct” to include “inappropriate access, use, disclosure, or release of confidential patient information.”

Finally, medical staff and hospital leaders must be willing to enforce policies dealing with patient privacy. In the past, HIPAA violations by medical staff members were often treated with a slap on the wrist. Given HHS’s more vigorous enforcement efforts in recent years, hospitals cannot treat medical staff members as if they are exempt from HIPAA.

For additional information about dealing with physician behavior concerns, please join us in San Francisco for:

SF_sq_1
The Peer Review Clinic

The Ritz-Carlton, San Francisco
October 23-25, 2014

 See you there!