Privacy protection: When our colleagues are our patients

Staffing shortages are among the daily challenges facing healthcare organizations as the pandemic drags on. No department is unaffected; providers, pharmacists, nurses, therapists, technologists, medical assistants, housekeeping, and food services are all confronting ongoing staff shortfalls.

If sick staff members seek care at the organization where they work, healthcare organizations face an added challenge: their employees become their patients. This creates an especially sensitive situation when it comes to privacy. How are healthcare providers and compliance professionals balancing employee privacy with communications to colleagues and patients?

Making sure communications comply with privacy rules

The HIPAA Privacy Rule requires providers to strictly maintain the privacy and security of patient information and medical records. Privacy is an ongoing concern for healthcare organizations.

It’s also a critical compliance issue. When a worker is sick, ensuring that communications – with colleagues and with patients – are handled correctly is key to complying with privacy rules.

Protecting patient privacy also keeps people from feeling vulnerable or exposed. It’s important from a compliance perspective, and it’s also about empathy.

Staff should treat confidential and protected health information (PHI) for a colleague the same as they would for any patient. When a colleague wants a copy of his medical records, for example, he must follow the organization’s procedure to obtain a copy through the health information management department. Just as fellow workers are not permitted to print colleagues’ medical records for them, the employee may not access and print their own medical records either. 

As another example, say that a surgeon tested positive for COVID at an organization-owned clinic. The only contacts who should be made aware of this diagnosis are the surgeon’s provider, the clinic manager, and the employee health department (if applicable).

It’s not appropriate to share the surgeon’s health status with staff. When asking staff to reschedule the surgeon’s surgical and clinic appointments, disclose as little information as possible. A fitting email to notify colleagues may be: “Dr. Smith will be off for the next five days. Please work to reschedule her surgeries and her clinic patients. We will provide an update to the team as soon as possible.”

Similarly, patient communications should not divulge a provider’s PHI. If a nurse practitioner tests positive for COVID and her appointments must be rescheduled, staff should contact patients with a message like this: “We are sorry, but Nurse Practitioner Miller will be out of the office this week. We need to reschedule your appointment.”

Mitigating privacy concerns

Another privacy concern with worker shortages is an increase in accidental privacy disclosures. For example, a temporary worker at the front desk may not be trained to only disclose the minimum amount of information necessary to family members. Or the worker may not realize PHI cannot be shared with a patient’s former spouse unless the patient consented to release such information. When a staff member inadvertently shares private, and protected, consider offering a refresher training on health information to individuals who need it.

Chief compliance officers (CCOs) and hospital leaders can help mitigate the privacy challenges associated with staffing shortages. One option is to conduct weekly rounds, allowing CCOs and hospital leaders to talk with staff, ask what challenges they’re facing, and work together on solutions. It’s helpful to involve the appropriate department supervisor in implementing solutions too. Regular rounds to the different departments or hospital units also are opportunities for CCOs and hospital leaders to provide real-time education and feedback, when needed.

Finally, CCOs and hospital leaders should extend empathy to staff as the pandemic persists. Keep in mind workers may be dealing – privately – with issues ranging from COVID “brain fog” to a lack of paid time-off.

As 2022 shapes up as another year to expect the unexpected, practical tools are available to help healthcare organizations comply with privacy regulations. YouCompli offers support that includes

How is your healthcare organization keeping up with privacy regulations? Read more about our regulatory monitoring process or schedule a demo.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


Subscribe to get the latest articles about healthcare regulatory changes.

Man typing on laptop