Would Your HR Team Violate HIPAA to Check Out George Clooney's Medical Records?
October 12, 2007
Michael Wolfe at The Career Revolution covered the recent news that 27 employees at a hospital where George Clooney and his girlfriend were treated were just suspended for a month without pay for viewing his PHI (Protected Health Information).
So the employees got caught looking and now they're paying the price. I get that. I'm supportive. More
interesting to me is the comment in Wolfe's post from a Office Manager at a Doctor's office:
"When implementing our EMR, we modeled our security measures after the one the hospital many of our physicians are associated with developed, which basically adds up to a zero tolerance policy. One of the advantages of an EMR is that you can track any information users access, as I presume is the case here, and the general rule of thumb is that there are two reasons, and two reasons only why ANYONE should be looking in a patient's chart--whether it be George Clooney or Joe Schmoe:
1). You are directly involved in the patient's care (physicians and clinical staff).
2). You have to access information contained in the record in order to be able to do your job (support staff). End of story.
In my clinic, if you can't satisfy either of the above rules when looking in a patient's chart, you're outta there. Forget verbal warnings, forget suspensions without pay."
In a small, medium or large HR shop, HR people have access to a lot of PHI data, often without the login security and tracking that an EMR provides. Also, a lot of data exists in medical files related to PHI. Here's the $64K question. If given the chance, would your HR people look at that data and maybe look up a code on the treatment provided? Are you sure?
More importantly, do you even know if they have access? How do you protect access to this type of information on Joe Schmoe? The same procedures/systems that protect Schmoe protect Clooney.
Human nature is at work here. We're imperfect. Name a privacy officer in your department and route all system access, dealing with Medical vendors, FMLA certifications, etc. through them unless someone has the need to know or is working the case.
I mean, can you imagine how many HR people are wanting to take a look at Kid Rock's medical history at Atlantic Records? The life-event section of the employee file alone probably requires one of those book-size rubber bands....
My HR team not only wouldn't violate HIPAA to see Clooney's medical records, I doubt any of them would walk across the street to catch a glimpse of him. My team is made up of grown-ups, not worshippers of self-important celebutards who think they can run the war and the government better than actually qualified people.
Posted by: Stephanie Richardson | October 16, 2007 at 10:35 AM
Thank you for reminding readers that no one is perfect (hence laws). Curiosity is a strong component of basic human nature and I believe no one is immune to giving in to the temptation of it - whether the subject matter be Mr. Clooney (who doesn't do it for all of us) or someone/thing else. Therefore, no matter how strong or righteous you think your team is, prepare for someone to fall from grace and receive the firm & fair consequences you are hopefully prepared for and confident enough to give in return.
Posted by: Monica Haut | October 16, 2007 at 02:00 PM
Stephanie -
It's really not about Clooney, as much as it is the human condition. If you don't safeguard your info and lock it down in a manner similar to that offered by an EMR, you have to be prepared for someone to take a fall and disappoint you. I think Monica is right. We all want to think that all on our teams can handle the responsibility, but if you've managed a lot of teams, you know that people often slip up and fail to live up to your expectations.
Thanks - KD
Posted by: Kris | October 16, 2007 at 09:13 PM