Recently, like many Americans, we watched events unfold at a Utah based hospital between a police officer and hospital nurse. Being that our office is based in the Salt Lake City area, the incident hit close to home both literally and figuratively. Unfortunately, the police officer who arrested and allegedly assaulted a nurse for refusing a blood draw on an unconscious patient brought up more questions than answers. As all healthcare organizations should heed a warning whenever there is a security breach at any hospital, private practice, insurance provider, etc; we feel it is crucial that both providers and law enforcement understand what happened and how to prevent a similar incident from occurring.
What Went Wrong
In simple terms, the nurse was arrested for doing her job. By refusing the police officer to administer a blood draw on an unconscious patient she was protecting her patient’s rights. As the police body cam video illustrates, the nurse pleas with the officer stating she did feel she was doing anything wrong. On the flip side, the same cannot be said for the officer involved in the incident. Under HIPAA, any person or organization who touches Protected Health Information (PHI) needs to understand and be aware of the basic rules around patient’s right to privacy including what can be released and what cannot.
One commonly misunderstood item under HIPAA is who constitutes as a business associate and who does not. By definition, a business associate is any person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to PHI. In this case, the police officer was a business associate of the hospital and therefore needed to comply with HIPAA.
One HIPAA requirement that is really highlighted through the events that unfolded during this incident is the importance of workforce training. It is unknown at this time whether the police officer has ever participated in HIPAA training, however, based on the events that transpired he clearly did not understand that in order to release PHI to law enforcement, there must be either a signed waiver/release by the patient, a court order or subpoena.
Although training employees on HIPAA may feel like an overwhelming or daunting task, it does not need to be. Most importantly, workforce training should be tailored to whether the organization is a Covered Entity, Business Associate or Hybrid and review how employees can impact the security of PHI. Had the police officer understood some basic patient privacy rules, the incident could have gone a very different way. Bottom line, police precincts should be offering basic HIPAA training for all colleagues.
In turn, when a member of law enforcement arrives at a hospital or medical facility he/she should be directed to a specific department to discuss their request. All hospital staff must be trained on what to do with law enforcement in the building so they can minimize disruption and ensure the appropriate action is taken. Some examples of a hospital department that may handle these requests include Health Information Management, Medical Records Department, or Legal and/or Compliance. This should be covered in during employee workforce training along with documented in the hospital or medical facility’s policies and procedures.
As stated above, with appropriate training and awareness, the incident above could have been avoided. We applaud the nurse for understanding her rights and the importance of appropriate patient care. At HIPAA One we offer affordable and easy-to-use workforce training modules that can be customized for various organization types with a “game like” feel.
To view our modules or learn more, click here.
Written by September 12, 2017.