A prominent CIO of a regional hospital system encountered the limitations of HIPAA and so-called “Protected Health Information (PHI)” when her boss fired her after a short medical leave of absence. After years working without taking vacation, a family catastrophe that affected her health prompted her to take a medical leave of absence. She had a physician’s letter to justify the leave, which was sent to the Occupational Health section of the hospital system, and they guaranteed the information would be kept confidential. Upon her return, she was called into her supervisor’s office and was promptly terminated, even after years of excellent performance reviews.
Two co-workers in the Department of Clinical Informatics, which she had managed, told her that they were ordered by other executives in the hospital system for a copy of her Electronic Health Record – a flagrant abuse of PHI. There they found she had a history of depression, but she had managed the problem with Cognitive Behavioral Therapy, extensive psychotherapy and medication. Another employee in Human Resources, who recently left the department, told her that is was routine policy to share Physician’s letters supporting medical leave with the employee’s supervisor.
Feeling justifiably outraged, she talked directly with the U.S. Department of Health and Human Service and an attorney in Washington, D.C. who specialized in employment issues related to HIPAA, the answer came back the same – “Unless you have the financial resources and the time and effort to sue the hospital system, it is not worth it to instigate litigation.”
So what lessons can be learned from this unfortunate incident? Here is my take:
(1) Many physicians feel that psychiatric illness is not on par with “real disease”, and the employee that has psychological problems should not be trusted.
(2) Those of us that can routinely access the EHRs of a hospital system have to be absolutely strict about not viewing the EHRs of celebrities, family and people we know without proper written permission, as well as co-workers and executive management.
(3) If you are going to have medical care, choose a hospital that you are not associated with.
(4) Do not trust what Occupational Health or Human Resources assure you about the privacy of PHI – remember that they work for your employer. Unfortunately, in most hospitals, they have to give permission for an employee to take a medical leave of absence.
OR, we could follow the lead of others who post all of their medical information on the internet for anyone to view, like the members of the Personal Genomes Project. Then we would not to deal with the vagaries of so-called “Protected Health Information.”
What do you think? Are employees with psychiatric disease not to be trusted? Are the federal laws being enforced? Should the penalties and oversight be increased when dealing with PHI?