HR should set high standards on privacy

HR Magazine, August, 2005 by Mike Verespej

The recent decision by the Department of Justice not to prosecute workers and third parties for violating the privacy of medical records doesn't mean that employers should ease off on any restrictions or policies they have with regard to the privacy of such records, legal experts say.

"If you're an employer and want to protect yourself, I wouldn't be relying on [the unlikelihood of] government criminal prosecution," said Ann Reesman, general counsel of the Equal Employment Advisory Council, an employer association that supports efforts to eliminate workplace discrimination. "The employer needs to set the bar for inappropriate workplace behavior."

The June 1 Justice Department opinion, in effect, applies the principles that govern other areas of federal corporate criminal prosecution to the violations of the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. It reverses the agency's previous stance of prosecuting not just corporate officers and directors but lower-level employees as well.

To reduce their liabilities, Reesman advises companies to "physically restrict access" to medical records to as few employees as possible. Second, she says, employers need to train workers on "their responsibilities.

"They need to know that they are handling confidential medical records," Reesman said, and they need to know that even if the prospect of criminal prosecution is diminished, they could be subject to civil litigation for the disclosure of what HIPAA terms "individually identifiable protected health information. They need to know that they need to guard those records with the ferocity of a tiger."

"If you support a group health plan, you have a legal obligation to find out what you [and your employees] can and cannot do," said Joseph J. Lazzarotti, an attorney in the White Plains, N.Y., office of Jackson Lewis LLP.

Outside the health care industry, two groups of employers are potentially at greater risk with regard to HIPAA privacy violations--those that have self-funded health plans and those that reserve for themselves the right to retain final authority over payment of claims. "In both cases, they are handling a lot of [private medical] information that employers don't normally handle."

Lazzarotti suggested that employers and health care providers have their legal experts analyze where managers, officers and directors have been found criminally liable in other instances of federal government prosecution "so they know where the risks are and when they might be in the net of a criminal prosecution."

MIKE VERESPEJ IS ASSOCIATE LEGAL EDITOR AT HR NEWS.