Gerry Higgins writes:
A prominent CIO of a regional hospital system encountered the limitations of HIPAA and so-called “Protected Health Information (PHI)” when her boss fired her after a short medical leave of absence. After years working without taking vacation, a family catastrophe that affected her health prompted her to take a medical leave of absence. She had a physician’s letter to justify the leave, which was sent to the Occupational Health section of the hospital system, and they guaranteed the information would be kept confidential. Upon her return, she was called into her supervisor’s office and was promptly terminated, even after years of excellent performance reviews.
Two co-workers in the Department of Clinical Informatics, which she had managed, told her that they were ordered by other executives in the hospital system for a copy of her Electronic Health Record – a flagrant abuse of PHI. There they found she had a history of depression, but she had managed the problem with Cognitive Behavioral Therapy, extensive psychotherapy and medication. Another employee in Human Resources, who recently left the department, told her that is was routine policy to share Physician’s letters supporting medical leave with the employee’s supervisor.
Read more on HealthSystemCIO.com.
That an employee’s supervisor may have access to any PHI or a doctor’s report has always been a workplace privacy issue across all settings, as I’ve blogged about on PogoWasRight.org at times.
I wonder whether the Chief Privacy Officer for the hospital was aware of this “routine policy” and had any input into it and why Human Resources does not make clear to employees requesting a medical leave that any doctors’ reports will be shared with their employer.
While I agree with some of the “lessons to be learned” that Gerry describes, there’s another lesson here for employers: be transparent.