RN Meeting With Corporate Compliance Over "Privacy Matter" Looking for Advice

Nurses HIPAA

Updated:   Published

privacy-issue-nurse-losing-job.jpg.70e1b712c9517a5a8e9e1ce26ec2d6df.jpg

I'm a registered nurse who was asked to volunteer by the very large hospital that I worked for to be "Team Lead" for a COVID testing site they had to establish back in June 2020. I was enticed by saying I'd get 40 hours a week of work (instead of 36hrs), and that I'd have weekends off, and wouldn't be forced to take PTO due to low census in the satellite ED I worked in. Flash forward almost 1.5 years and I'm still doing that job for them, with no change in pay.

One of my staff who does the actual swabbing gets COVID, and is off work. My manager asks if I had heard from this staff person regarding return to work date. I explained I had not heard from her despite reaching out a couple times over the past couple days. She expresses concern over staffing, the call ends, and I think "Oh, I bet Occupational Health has spoken with her and has likely established a return to work date for her (but has not contacted me nor my manager about it). I go into epic for the day she was scheduled for testing, open her chart and without looking at any specific health information, find two entries for two phone calls placed by occ health stating they couldn't get ahold of her. I tell my boss this, and she says "Oh, how did you find this out." I explain I found the information in her chart. She states I shouldn't have done that. I apologize and state I will never do it again. (I never received any supervisor training whatsoever yet have been acting as a supervisor to a decent-sized staff for over 1.5 years).

My manager and I get along very well, she recently did my annual performance eval and it literally couldn't possibly be more glowing.

Yet, yesterday I got an email from a corporate compliance officer asking to attend a zoom meeting with her and my boss on Monday. My boss had told me the other day she had to go out of town unexpectedly to Florida to pick up her daughter who just broke up with her boyfriend and had nowhere to live. I texted her and she was like "Yes, I knew about it. It's some privacy thing." I asked if it was regarding that incident with the staff member who was off with COVID and if I was getting fired, and she responded that she "honesty didn't know? " Then asked what time the meeting was and explained she couldn't be there, but she'd be back Tuesday.

I'd love advice on how to handle this matter. Or any general advice from healthcare workers who have had meetings with corporate compliance over "privacy issues."

2
Up Vote Up Vote ×
Specializes in Physiology, CM, consulting, nsg edu, LNC, COB.

I'd insist that your manager be present, at very least. The system should indicate that you had no contact with PHI. This would be no different from calling up OH and asking, "Hey, have you heard from SuzieQ?" If they told you, "Nope, called twice but she hasn't called us back," that's not PHI.

4
Up Vote Up Vote ×
Specializes in oncology.
10 hours ago, EDNurseCleveland said:

"Oh, I bet Occupational Health has spoken with her

Why didn't you just call the Occupational Health department?

6
Up Vote Up Vote ×
Specializes in retired LTC.

She used her job position to open a chart without authorization. That's HIPAA. Things can be iffy dep on her place's compliance position.

Sad that she's going to face some questions for something she didn't mean to intrude into.

6
Up Vote Up Vote ×

Sorry to hear of this.

They may view this as a violation of their privacy practices even if it isn't strictly a HIPAA-related violation. I fear OP will run into an issue because the tack that nearly all hospitals take with all things HIPAA is to not delegate HIPAA-related decision-making to their thousands of employees, but rather to narrow things down to needing to be in the chart to provide care or to perform a specfically authorized activity, OR staying OUT of the chart. Those are the two basic options they allow for employees.

 

23 hours ago, Hannahbanana said:

This would be no different from calling up OH and asking, "Hey, have you heard from SuzieQ?" If they told you, "Nope, called twice but she hasn't called us back," that's not PHI.

This entire process though, is best initiated from the side of occ health. Why should random supervisory coworkers have this as an excuse to enter someone's chart? We all know that you can see more than strictly what you're looking for. What should have happened here is that Occ health should have informed the OP that the employee is authorized to return to work but has not yet acknowledged receipt of that information. They should have a system for communication rather than having random supervisors access records. Especially when the employer has given no instruction about the ins and outs of when/how it is acceptable. Instead they have taken the route I described above. Employees are generally not authorized to use their own judgment about when they will access records and for what purpose.

Because hospitals are particularly toxic and hateful about all of this, I wouldn't access any chart that wasn't directly for the care of a patient or for auditing or some other legitimate project that they specifically assigned.

11
Up Vote Up Vote ×

The way you worded this makes total sense. I made the mistake of thinking I had the discretion as a supervisor to enter her chart for what I considered non-PHI. I’m still trying to decide if I should have an attorney present for the first meeting. By deduction it’s most likely my boss was compelled to report the violation. I feel bad I put her in that situation, but surely wished she had given me a heads up.

Yes, in hindsight, I should have just called occ health. 

2
Up Vote Up Vote ×
10 hours ago, EDNurseCleveland said:

By deduction it’s most likely my boss was compelled to report the violation.

They should've kept their stupid mouth shut and counseled you about what was proper and apologized for not providing any training.

I am sorry you are in this mess!

I tried to think through this to offer some kind of advice but the only thing I have seen from these compliance people is that they don't even have a freaking job unless they are busy investigating others' totally normal human misunderstandings and blowing them massively out of proportion.

IF I had to guess what I would do in your position I *think* that I would simply say something like, "I understood it to be part of my responsibility as a supervisor and did not believe that I was accessing PHI or violating HIPAA in any way. But I did  not receive specific supervisor training...."

6
Up Vote Up Vote ×
Specializes in retired LTC.

They called it a 'privacy matter'. Not mentioning 'HIPAA' per se. That's hopeful.

2
Up Vote Up Vote ×

The compliance officer’s email used the phrase “a compliance concern has been brought to our attention” and when I asked my boss about it, she said she didn’t know anything other than they said it was a “privacy thing.” 

3
Up Vote Up Vote ×
Specializes in Community health.

I have always worked outpatient. My bosses have been clear that every patient is everyone’s patient, so we can all be in any chart (as we need to, obviously, not just for fun). I am so befuddled by the way hospitals approach this. Yes, of course, I understand nobody should be snooping into their next-door neighbor’s chart to find out why an ambulance was outside their house last night. But whyyyyy are hospitals spending this much time and energy on situations like this one, where nobody actually accessed or saw anything, but their EHR system flagged somebody for clicking on the wrong thing for two seconds?  I just feel like… when staffing is at crisis levels, staff is leaving their jobs in droves, and it is incredibly hard to keep *good* nurses at the bedside, it’s shortsighted to treat things like this as a hanging offense. 

3
Up Vote Up Vote ×

@EDNurseCleveland -

How did it go on Monday?

1
Up Vote Up Vote ×
Specializes in Critical Care.

I'm not clear what specific PHI you supposedly accessed that you aren't already allowed to be aware of under HIPAA.  It appears the employee was taking time off after notifying the employer that they were Covid positive, in which case accessing an EMR that reveals the employee is Covid positive is not PHI that has not already been shared by the employee.

1
Up Vote Up Vote ×
+ Add a Comment