Utah Hospital Aftermath: What Police Precincts Need to be Doing

Recently, like many Americans, we watched events unfold at a Utah based hospital between a police officer and hospital nurse. Being that our office is based in the Salt Lake City area, the incident hit close to home both literally and figuratively. Unfortunately, the police officer who arrested and allegedly assaulted a nurse for refusing a blood draw on an unconscious patient brought up more questions than answers. As all healthcare organizations should heed a warning whenever there is a security breach at any hospital, private practice, insurance provider, etc; we feel it is crucial that both providers and law enforcement understand what happened and how to prevent a similar incident from occurring.

What Went Wrong

In simple terms the nurse was arrested for doing her job. By refusing the police officer to administer a blood draw on an unconscious patient she was protecting her patient’s rights. As the police body cam video illustrates, the nurse pleas with the officer stating she did feel she was doing anything wrong.  On the flip side, the same cannot be said for the officer involved in the incident. Under HIPAA, any person or organization who touches Protected Health Information (PHI) needs to understand and be aware of the basic rules around patient’s right to privacy including what can be released and what cannot.

One commonly misunderstood item under HIPAA is who constitutes as a business associate and who does not. By definition a business associate is any person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to PHI. In this case, the police office was a business associate of the hospital and therefore needed to comply with HIPAA.

Workforce Training

One HIPAA requirement that is really highlighted through the events that unfolded during this incident is the importance of workforce training. It is unknown at this time whether the police officer has ever participated in HIPAA training, however, based on the events that transpired he clearly did not understand that in order to release PHI to law enforcement, there must be either a signed waiver/release by the patient, a court-order or subpoena.

Although training employees on HIPAA may feel like an overwhelming or daunting task, it does not need to be. Most importantly, workforce training should be tailored to whether the organization is a Covered Entity, Business Associate or Hybrid and review how employees can impact the security of PHI. Had the police officer understood some basic patient privacy rules, the incident could have gone a very different way. Bottom line, police precincts should be offering basic HIPAA training for all colleagues.

In turn, when a member of law enforcement arrives at a hospital or medical facility he/she should be directed to a specific department to discuss their request. All hospital staff must be trained on what to do with law enforcement in the building so they can minimize disruption and ensure the appropriate action is taken. Some examples of a hospital department that may handle these requests include: Health Information Management, Medical Records Department, or Legal and/or Compliance. This should be covered in during employee workforce training along with documented in the hospital or medical facility’s policies and procedures.

Moving Forward

As stated above, with appropriate training and awareness, the incident above could have been avoided. We applaud the nurse for understanding her rights and the importance of appropriate patient care. At HIPAA One we offer  affordable and easy-to-use workforce training modules that can be customized for various organization types with a “game like” feel.

To view our modules or learn more, click here.


HIPAA & Texting

Special Note: This is the first blog in a 3-part series focusing on HIPAA and patient communication. Keep checking back for upcoming blogs focusing on email and voicemail. In recent years, a great number of medical practices have embraced text … [Continue reading]

What You Need to Know about the Newly Updated HHS Breach Tool

As part of their commitment to providing greater transparency to consumers, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently launched their revised web tool designed to highlight important breach … [Continue reading]

2017 HIPAA Breach Stats: Where Are We At?

Now that the first half of the year is behind us, how is the healthcare community faring? Will the data breaches of this year surpass previous years, leaving entities scrambling and millions of patients left vulnerable? Let’s take a look at the … [Continue reading]

Your HITRUST Certified Practitioner

If your organization is looking to get HITRUST certified and complete a Security Risk Analysis, look no further than HIPAA One. We’ve added to our service offerings to assist with your HITRUST needs! As the first member of our team to become a … [Continue reading]

Small Medical Practices and Cyber Attacks

Recently one of our good friends and healthcare blogger, John Lynn of EMR & HIPAA wrote a blog on why small medical practices are at great risk for a cyber attack and we couldn't agree more. Too often small medical practices operate day to day … [Continue reading]

Updates to our Microsoft Windows 10 Whitepaper

In February, we released a whitepaper co-authored with Microsoft which reviewed how Windows 10 can be used as a compliant operating system for healthcare organizations. If your workplace uses and/or plans to upgrade to Windows 10 Enterprise and … [Continue reading]

Penetration Testing & Patient Portals

As healthcare providers continue to embrace technology, are patients being left vulnerable? If a recent incident at a Frisco, TX-based healthcare services company, True Health Diagnostics is any indication, then the answer is a resounding “yes.” PHI … [Continue reading]

What Does Real Audit Preparedness Look Like?

Link to our recent press release: http://bit.ly/2qfTMgI For many members of the healthcare community, the word “audits” was overheard more than a few times last year. In March 2016, Health and Human Services’ Office for Civil Rights (OCR) … [Continue reading]

Need to Access the LADMF? We can help!

In the world of HIPAA compliance, sometimes the only constant is change. It is not out of the norm for one of our clients to come to us with a question or request that at times, takes us by surprise.  This occurred recently when a client contacted us … [Continue reading]