HIPAA and the Need-to-Know

 HIPAA and the Need-to-know

HIPAA prohibits the disclosure of protected health information to anyone that does not have a professional need-to-know. The need-to-know standard is applied on a person-by-person basis and NOT by departments or units.

HIPAA and EBOLA in the news on 09/26/2014

OMAHA, Neb. (AP) — The Nebraska hospital that treated an American aid worker infected with Ebola has fired two workers accused of violating the man’s privacy by looking at his medical file

 In a written statement Friday, the Nebraska Medical Center in Omaha said an audit of the hospital’s electronic medical records led to the discovery that two employees had inappropriately accessed Dr. Rick Sacra’s file. The Omaha World-Herald first reported the firings Friday.

 The hospital said in the statement that the employees’ actions violated federal patient privacy regulations, leading their firing and “other corrective action.” The hospital gave no information as to why the employees accessed the records.


“While this is extremely uncommon, we have a zero tolerance for unauthorized access to patient information,” the statement said. “In accordance with HIPAA regulations, Dr. Sacra was notified in person and in writing before his departure from the hospital.” [The entire story can be found at http://bigstory.ap.org/article/1d3c8bc71a7a48a69e1a7539c1d2a338/omaha-hospital-workers-fired-over-ebola-privacy]


The employees were terminated because they accessed health information without a professional need-to-know which violated federal law. In addition to being terminated, the former employees may have also forfeited their rights under COBRA due to “gross misconduct”. This is similar to the firing of a doctor, medical student and lab technician after they were found snooping at the medical records of someone famous.

Remember, if you really do not have a need-to-know, do not work to find out.

The key takeaway from this story is that Covered Entities must make certain that data access reports from networks and EMRs are actually reviewed and understood.