Corporate Compliance

HIPAA Q&A: PHI and covered entity disciplinary actions

Compliance Monitor, April 18, 2012

Q. A covered entity is required to impose sanctions against workforce members who violate the covered entity’s privacy and security policies and procedures. Can the covered entity include PHI as part of the disciplinary process without the authorization of the patient? The disciplinary process is conducted by an arbitrator.

A. No; a covered entity cannot disclose patient information to the workforce member or the arbitrator. The patient information must be de-identified. The sanctions process should focus on the actions that led to a violation of the covered entity’s policies and procedures. This does not require inclusion of patients’ PHI.

Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question, which first appeared in the April Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Most Popular