Home > Ask the Information Security Experts > Questions & Answers > Will an off-site employee exit procedure violate HIPAA regulations?
Ask The Security UK Expert: Questions & Answers
EMAIL THIS

Will an off-site employee exit procedure violate HIPAA regulations?

Mike Rothman EXPERT RESPONSE FROM: Mike Rothman

Pose a Question
Other Security UK Categories
Meet all Security UK Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 03 October 2007
I am resigning from a medical case management company and was told to meet with a group at a local restaurant to transfer the files and give verbal information about these clients. I have said that I feel it will be breaking HIPAA regulations to do this. What should I do? Do I do as ordered or do I stand my ground and not meet in such a non-controlled atmosphere, in which any conversation could be easily overheard?

>
EXPERT RESPONSE
It's not a matter of "getting anyone in trouble," it's a matter of doing what you believe to be the right thing. Something about meeting at a local restaurant to "transfer files" seems fishy to me. I believe you are absolutely in the right to refuse such a request. It does sound like a HIPAA violation to transfer the records off premises and even more so to discuss the clients in a public place

Now the real question becomes: who do you "stand your ground with" and what do you do to document your actions? It's not clear to me where this order was coming from. Was it human resources, or was it just your supervisor? Who is in the group that will be receiving this information?

If HR personnel were not involved in this request, then your best bet is to go to them to clarify what the exit procedure is for your job. You can ask an innocent (or seemingly innocent anyway) question to make sure that a professional information hand-off takes place. You don't have to tip your hand that you've been asked to divulge this information in a public place.

In the event HR is involved and has approved this strange process, then first express some reservations about the policy in writing. Get a response back from the corporation in writing. At that point, you've done all you can do to cover your backside, so go to the restaurant and transfer the information.

There is also what I'll call a nuclear option. You could report the process to the Department of Health and Human Services or go to your clients (for whom you are managing the medical cases), tell them about the process and explain your discomfort with it. This basically throws everyone in the organization under the bus. It also will put you at odds with your former employer and could result in messy lawsuits. I don't think this is a good option, but it is an option.

For more information:

  • In this expert Q&A, Mike Rothman discusses if it is a violation of HIPAA to collect consumer Social Security numbers.
  • A case study reveals how merging networks helped one medical facility with HIPAA compliance requirements.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Enterprise Data Storage
    Local council finds better way to track lost laptops
    Will the rise of SharePoint services lead to increased data loss?
    Scottish NHS trust ensures no repeat of USB data loss
    Finance sector poor at achieving outsourcing success
    Mobile technology may limit harm of laptop data loss
    HSBC loses customer data in the post
    How to lock down USB devices
    Another day, another embarrassing data loss
    How to achieve laptop data security
    Chemical giant says data leakage tools not up to snuff

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    Serious Organized Crime Agency  (SearchSecurityUK.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts