Maintaining Patient Privacy In The Digital Age
Insights
5.02.16
Those in the heavily regulated healthcare industry know that patient information is sacrosanct. And for good reason; improper handling can result in hefty fines or criminal prosecution under the Health Insurance Portability and Accountability Act (HIPAA). Healthcare employers must often take intricate steps to safeguard Protected Health Information (PHI), including ensuring compliance by the workforce.
As a means to this end, employee manuals in the healthcare industry frequently prohibit the use of recording devices in the workplace, especially given how easy it is to record video and audio using smartphones or other digital devices. But a recent opinion by the National Labor Relations Board (NRLB) should make you rethink these blanket bans.
Employers Take Sweeping Steps To Protect Privacy…
In order to understand the opinion, it is best to first review some background information. As a healthcare employer, HIPAA is not a foreign acronym to you, and neither is compliance with this federal statute. In short, and very generally speaking, you are charged with the responsibility of restricting the flow of PHI. Further, you are required to ensure compliance by your employees.
The federal agency that oversees Title II of HIPAA takes this responsibility seriously. As a result, enforcement actions are on the rise. Failure to comply can result in fines over the million dollar mark and imprisonment for up to 10 years. Thus, it is prudent to make privacy a priority.
As part of the overall effort to protect PHI, many – if not most – healthcare employers prohibit their employees from using recording devices in the workplace. In light of the proliferation of smartphones (more than half of Americans are estimated to use them), it is not uncommon for employers to specify that the use of picture phones is likewise forbidden.
If a healthcare employer fails to develop a policy of this nature, they are arguably inhibited in their ability to ensure the confidentiality and integrity of PHI, as required by HIPAA. Unfortunately, this statutory requirement does not seem to justify an employer who wants to take any and all steps to prevent information leaking from the workplace, at least according to the NLRB.
…But The NLRB Says Employers Are Going Too Far
Many employers believe they have the absolute right to prohibit their workers from disclosing “confidential” information to certain parties. The NLRB disagrees, however, and has diligently worked to erode employers’ rights in this area. Whole Foods – the upscale grocery chain – learned this lesson the hard way.
In its employee handbook, Whole Foods (like many other employers) maintained a policy that prohibited the use of recording devices, including cell phones, in the workplace without first obtaining approval from management. The employer believed this policy was necessary to “eliminate a chilling effect to the expression of views that may exist when one person is concerned that his or her conversation with another is being secretly recorded.”
This policy was challenged by a union attempting to organize at the workplace, which claimed that the handbook violated the National Labor Relations Act (NLRA). It’s important to note that the NLRA covers all workplaces, not just those that are unionized or engaged in an organizing drive.
In a recent 2-1 decision, the NLRB disagreed with Whole Foods. The agency ruled that enforcing the policy would actually chill the employees in the exercise of their rights. Rather than ruling that a ban on recordings would be in the employees’ best interests, the Board ruled the opposite: that eliminating a blanket ban would best protect workers.
This decision, in addition to other recent Board decisions, indicates that employees have the absolute right to photograph and make recordings in furtherance of their rights under the NLRA. While the rights may be absolute, furthering them cannot be limitless where patient privacy is concerned.
A Confidentiality Crossroads: What Is The Takeaway?
On the one hand, healthcare employers are obligated to comply with HIPAA and a host of other state and federal laws regarding privacy and confidentiality. On the other hand, employees have increasingly broad rights to engage in concerted activity under federal law. So where does this leave healthcare employers who might find themselves at a crossroads?
In short, you should steer clear of total bans on recording devices in the workplace. There is no question that the protection of PHI is of critical importance; the Whole Foods opinion does nothing to change that. But the NLRB will view a total ban on those devices as unlawful. Thus, you should analyze your current recording device policy, in addition to any other policy that may curtail the communication of confidential information, to ensure compliance with the latest legal developments.
If your recording device policy includes a comprehensive ban, you should revise it. For example, you would avoid running afoul with the NLRB if your policies only preclude your employees from recording in areas dedicated to patient care, but left open the possibility of recording in areas where patient privacy concerns do not exist. To stay out of the NLRB’s crosshairs, a narrowly tailored policy is the best approach.
For more information, contact the author at JWrigley@fisherphillips.com or 228.822.1440.