Every workplace investigation poses unique circumstances and challenges depending on the nature of the client. Health care organizations are among the trickier clients for third-party investigators because the nature of their workplace complaints often implicate issues unique to this industry.

HIPAA Issues

With few exceptions, health care organizations are subject to stringent national standards under the Health Insurance Portability and Accountability Act (“HIPAA”) to safeguard the privacy and security of protected health information (“PHI”).[1] Among HIPAA’s many  requirements, PHI may only be used or disclosed under very limited, express circumstances while physical and electronic safeguards must be implemented to ensure the security of PHI. These restrictions and obligations not only bind the organization itself, but all of its employees, vendors and contractors who handle PHI. If PHI is breached, the organization’s compliance officer must be notified and, within a prescribed timeframe, the organization must report the incident to the Department of Health and Human Services (“HHS”) and notify impacted individuals. Common HIPAA violations include unauthorized access to patient records, accidental disclosure of PHI, insufficient IT security measures to protect the health data, and lost or stolen devices containing PHI. Breaches have led to multi-million dollar fines and settlements; a single violation triggers a fine of up to $50,000.00. In 2019, a Virginia health care organization reached a $2.175 million settlement after it failed to properly notify HHS of a breach of unsecured PHI.

In addition, the privacy issues that arise in the health care workplace are usually not obvious on the face of the complaint. PHI may become a factor through witness statements about the incidents, underlying complaints, or in the review of documentary evidence provided by witnesses. Take, for example, an email produced by a complainant as evidence of retaliation by her manager for her reporting patient care issues. The email thread references the patient’s name and the symptoms he presented. Obviously, the investigator must handle this PHI with the utmost care and ensure the security of his or her notes and documentary evidence. Any PHI should be redacted, especially in exhibits to investigation reports, and reports should omit any reference to specific patient data.

Likewise, an investigator may become aware of a direct breach of HIPAA standards in the course of the investigation. If, for example, a witness references a colleague posting a photo of a patient on social media to demonstrate a procedure, the investigator should note that this was a breach of PHI because the patient’s face could be discerned. Any breaches or potential breaches such as this should be flagged and immediately communicated to the client so that the organization’s privacy officer is made aware.

Client Organization Code of Conduct/Ethics

Many health care organizations maintain a code of conduct and/or policies governing employee behavior and interactions given the scale of the workforce and public-facing nature of health care work. Likewise, such clients maintain standardized processes for patient treatment, incident reporting, and other practices. Even if breach of internal policy is not included in the investigation scope, investigators should ask the client about such policies in order to spot issues and alert counsel as the investigation unfolds. This can help investigators become familiar with internal protocol and lingo referenced by witnesses.

Medical School Affiliations and Teaching Personnel

A number of hospitals are affiliated with medical schools. In this setting, medical professors and their students may become integral witnesses in an investigation, or even the subject(s) of the complaint itself. Outside investigators often must follow special protocol for interviewing tenured professors and medical school personnel may wish to oversee the investigation. For example, the Dean of Faculty or similar personnel may shadow the investigator or carry out an internal parallel investigation. Alternatively, interviews of teaching staff sometimes must be approved in advance with the teaching institution and the staff may be entitled to have his or her own representative present for the interview. Thus, thoughtful planning, approval, and advance coordination must be carried out to avoid undue delay and to ensure all necessary witnesses are interviewed. 

This post is not exhaustive of all the issues that arise during external investigations of health care organizations but is meant to convey the complexity of potential issues so that investigators tread with appropriate care while interacting with this vital industry.

[1] PHI is personal identifiers (name, social security number, phone number, etc.) combined with health information.

Authors: Diana Maier, Partner and Caitie Emmett, Associate.

The Maier Law Group is a boutique employment and data privacy firm that specializes in conducting workplace investigations, providing executive coaching, training employees, mediating both courtroom and workplace disputes (between two conflicting employees), and advising and counseling employers on HR and data privacy issues.

This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly at info@maierlawgroup.com.