August 9, 2018

QUESTION:        We recently received a complaint that one of our Medical Staff members was “surfing” the EMR, looking for patients with a certain diagnosis and then contacting them to offer his services.  Should we refer this matter to our HIPAA Privacy Officer, review it under our Medical Staff Professionalism Policy, or take some other approach?

ANSWER:            There are good reasons for involving the hospital’s Privacy Officer in the review of HIPAA violations by Medical Staff members.  The Privacy Officer is responsible for implementing the hospital’s HIPAA policies, so that individual should be aware of potential privacy violations by Medical Staff members.  Also, Privacy Officers have significant experience investigating and responding to privacy violations.  They will be familiar with HIPAA’s dense regulatory requirements and know how to find information that shows if health information was improperly accessed.

At the same time, there are good reasons for using the Medical Staff process to review HIPAA complaints involving physicians:

  • Physicians may be more likely to listen to other physicians.
  • Hospital licensing regulations generally require the Medical Staff to review the actions of its members.
  • The Medical Staff process is protected by a statutory peer review privilege, which results in confidentiality and candid discussion.
  • Violations of HIPAA (or any regulation) may include a behavioral component that will be of interest to the Medical Staff leadership.

To get the best of both worlds, we recommend that the Medical Staff Professionalism Policy include a provision describing how individuals responsible for other hospital policies (such as the HIPAA Privacy Officer or the Corporate Compliance Officer) will be notified of concerns that involve their area of responsibility.  The Policy should also describe how efforts will be made to coordinate the efforts of the Medical Staff leadership and the individual responsible for the other policy (e.g., through attendance at meetings and the sharing of information).

For additional information about dealing with physician behavior concerns, please join us in San Francisco for:

The Peer Review Clinic