Health Information Management

Q&A: Using patient PHI in work force disciplinary procedures

HIM-HIPAA Insider, April 3, 2012

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. A covered entity is required to impose sanctions against workforce members who violate the covered entity’s privacy and security policies and procedures. Can the covered entity include PHI as part of the disciplinary process without the authorization of the patient? The disciplinary process is conducted by an arbitrator.

A. No, a covered entity cannot disclose patient information to the workforce member or the arbitrator. The patient information must be de-identified. The sanctions process should focus on the actions that led to a violation of the covered entity’s policies and procedures. This does not require inclusion of patients’ PHI.
 
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR,answered this question in the April issue of Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular