[ Tuesday, November 20, 2007 ]
OCR horror story:
On the AHLA HIT listserv, a lawyer recently relayed a pretty egregious horror story. A hospital nurse found out, through proper access to PHI in the hospital setting, that another nurse had a drug problem. The first nurse reported the second nurse to the State Nursing Board; in that state (as in most others), every nurse is required to report to the board any other nurse that the reporting nurse has reason to believe is impaired. So, the first nurse's report to the board was pursuant to a state law requirement. A HIPAA complaint ensued from nurse 2, and the OCR investigator found that the state law requirement applied to the reporting nurse, but not the hospital, to the hospital's reporting was a HIPAA violation. But "the hospital" only reported by the act of its employee, nurse 1, who was required to report according to state law. The OCR investigator somehow found that the nurse had to report and the hospital had to keep quiet, but also found that the nurse was (the representative of) the hospital.
There is a HIPAA exception that allows uses and disclosures if they are required by other laws. When disclosures are permitted (but not required) by other laws, you have to do a "more stringent" analysis, but if the state law requires the disclosure, that should trump. Here, the OCR investigator seems to have pushed the hospital into a real catch-22.
Jeff [4:02 PM]
Blogger: HIPAA Blog - Edit your Template