Thursday Troubleshooter: RDH HIPAA compliant? Disobeys dentist's reprimands
This long-time RDH was told not to make copies of the office schedule for her own use. She went against the recommendation and continued to do so, violating HIPAA. How should this dental practice handle the situation?
Do you have a tough issue in your dental office that you would like addressed? Each week the experts on Team Troubleshooter will tackle those issues and provide you with answers. Send questions to email@example.com.
QUESTION: A coworker who’s been an RDH for over 25 years, and who’s been in our office for 20 years, was fired for printing copies of our schedule and taking them home. She had been reprimanded for doing so in the past, so she had her computer "privilege" to print from her sign-in revoked. However, this was not adequately documented by the dentist-boss. A part-time office coworker stepped away from her computer without signing out, and the RDH sat down and printed the schedules. She then refused to sign a document that acknowledged this violation, claiming she did not know that she should not print them. Now she is likely to sue us for wrongful termination. We do have copies of HIPAA training meetings with her signature, but we have no detailed information about every issue covered. Assuming this progresses, what is our obligation to report this to the licensing board? She is also a local EMT and holds the EMT certification as well. Thanks for your help.
ANSWER FROM LINDA HARVEY,RDH, MS, LHRM,Compliance/Risk Management Specialist:
Both the Privacy and Security Rules require Covered Entities (employers) to implement sanctions for workforce members who violate office policies and procedures. Your office did so by revoking the employee's privilege to print patient information. Since she was not authorized to print and take information home from the office, her actions constitute a HIPAA breach. Even though the dentist did not document the sanctions in a timely fashion for HR purposes, information can still be documented in a breach incident form. Computer forensics can accurately date/time when her printing privileges were revoked. The doctor should consult with his cyber risk carrier for legal advice on filing a report to the Office of Civil Rights as well as the licensing board.
Here are a few risk management tips:
1. List topics discussed on all training sign-in sheets, not just HIPAA.
2. Have a separate form for employees that states they read and understand office policies.
3. Annually review and update office policies and procedures to be sure they are up-to-date.
I applaud this dentist for following through with his office policies and procedures.
ANSWER FROM PAUL EDWARDS, CEO of CEDR Solutions:
From a human resources standpoint, the main thing I wonder is, why was the employee printing those schedules? I think it’s always a good idea to ask that question, why? It’s an important part of any investigation, and the answer can often reveal some underlying issue. For example, had she answered that she was using the schedule to go back and ensure she was being paid overtime correctly, then you might have chosen to take a step back and deliver a different kind of a warning (although if the schedules included patient information, then it is still not okay to remove Protected Health Information (PHI)—from the practice). On the other hand, if she had offered no explanation, then that will be a problem for her if she actually goes through with some kind of post-termination claim.
As for not signing the corrective action, she need not sign the corrective action for it to exist. But, as you noted, corrective steps were taken previously, and it’s unfortunate that there’s no documentation. In an instance like this, noting that the employee refused to acknowledge the issue by signing is the next best step a manager can take. Make sure you add your own notes and the date, and sign it.
Regarding reporting her, I’m going to let one of our HR and HIPAA experts, Nathan Massey, address this and provide a little information about your obligation to investigate and document problems with safeguarding PHI in accordance with the rules surrounding HIPAA. If the employee broke a PHI rule, then your practice did, too, and you’ll need to consider your reporting obligations to Health and Human Services.
ANSWER BY NATHAN MASSEY, HR Advisor, CEDR Solutions:
As far as HIPAA is concerned, the employee and the practice are not separate entities. Generally speaking, a patient schedule is something that can be used by a covered entity for “treatment, payment, and health-care operations,” without requiring specific authorization by the patient for such use. However, for such a use to be compliant with the HIPAA Privacy Rule, the entity or person receiving the schedule must “need to know” that information in order to perform “treatment, payment, and health care operations.”
As an example, in a recent case, a general hospital was investigated because the management staff sent an operating room schedule by email to many of their employees. There was a complaint by one of the patients on this schedule, and HHS found that the operating room schedule was distributed to people who did not “need to know” that information.
In your situation, the information was not distributed, but there was (potentially) a “breach” of PHI if the RDH did not need to know the patient schedule in order to carry out ”treatment, payment, and health care operations.” If she did need to know that schedule for treatment, payment, and health care operations, then it may not be a breach. However, she did bring unsecured PHI home with her, which could also lead to a breach if that paper record was lost or stolen, or if was not disposed of properly (shredded).
Further, it is also likely a violation of the Security Rule that the other employee walked away from her computer without logging off. But it was not a breach unless that violation of the Security Rule led to an impermissible use or disclosure of PHI, which it may have, if the RDH did not “need to know” the information she printed and took home.
So, the questions that you need to ask are, “did the employee need to know the patient schedule in order to carry out treatment, payment, and health care operations?” and “what happened to those paper records after she took them home?”
If the answer to the first question is “no,” then this probably constitutes a breach which you would need to report.
If the RDH did need to know the schedule, and the answer to the second question is anything other than “shredded,” there is also potentially a breach out there waiting to happen if those old printed schedules are ever found by anyone, and you should report it as a breach before they are found. Or, make a direct request to the employee asking for the return of the schedule. If the documents are already back in your possession, then the risk is no longer a concern.
Taking into account that the employee and your practice are a single entity, and given limited information, it is probably best to not attempt a report the possible breach to anyone other than those you are directly obligated to report a breach to.
For the most current dental headlines, click here.
RECENT THURSDAY TROUBLESHOOTERS:
Should this dental practice open on Saturdays?
Is there a proper dental code for interim fillings?
Dental assistant not getting hours she was promised
Send your questions for the experts to answer. Responses will come from various consultants, many of whom are associated with Speaking Consulting Network, Academy of Dental Management Consultants, Dental Consultant Connection, and other expert dental support organizations. Their members will take turns fielding your questions on DentistryIQ, because they are very familiar with addressing the tough issues. Hey, it's their job.
Send your questions to firstname.lastname@example.org. All inquiries will be answered anonymously every Thursday here on DIQ.