We recently received a complaint that a Medical Staff member may have been inappropriately accessing medical records. Do we handle this as a Medical Staff matter or should we refer this to our HIPAA Privacy Officer?
OUR ANSWER FROM HORTYSPRINGER ATTORNEY IAN DONALDSON:
Given the Privacy Officer is responsible for implementing the hospital’s HIPAA policies, they should be made aware of any potential violations by a Medical Staff member. In addition, Privacy Officers have significant experience investigating and responding to privacy violations and they will understand the law’s regulatory requirements, including if breach notifications are required.
At the same time, there are good reasons for using the Medical Staff process to review HIPAA complaints involving physicians:
- Physicians may be more likely to listen to other physicians.
- Hospital licensing regulations generally require the Medical Staff to review the actions of its members.
- The Medical Staff process is protected by a statutory peer review privilege, which results in confidentiality and candid discussion.
- Violations of HIPAA (or any regulation) may include a behavioral component that will be of interest to the Medical Staff leadership.
This is why we recommend that the Medical Staff’s professionalism policy or code of conduct include a provision describing how individuals responsible for other hospital policies (such as the HIPAA Privacy Officer or the Corporate Compliance Officer) will be notified of concerns that involve their area of responsibility. This allows for coordination between the Medical Staff leadership and the individual responsible for the other policy.
If you have a quick question about this, e-mail Ian Donaldson at firstname.lastname@example.org.