
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > Will an off-site employee exit procedure violate HIPAA regulations?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Will an off-site employee exit procedure violate HIPAA regulations?

EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 03 October 2007
I am resigning from a medical case management company and was told to meet with a group at a local restaurant to transfer the files and give verbal information about these clients. I have said that I feel it will be breaking HIPAA regulations to do this. What should I do? Do I do as ordered or do I stand my ground and not meet in such a non-controlled atmosphere, in which any conversation could be easily overheard?

BROWSE BY TAG

Expert Archive: Security Management, Security Audit, Compliance and Standards, HIPAA, Enterprise Data Protection, Enterprise Data Governance, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Using a QSA to write up a PCI DSS report on compliance (ROC)
	How can gap analysis be applied to the security SDLC?
	Comparing low-cost security appliances to bigger, pricier appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center

HIPAA

HIPAA compliance: New regulations change the game

HIPAA compliance manual: Training, audit and requirement checklist

Key elements of a HIPAA compliance checklist

Quiz: How to meet HIPAA compliance requirements

How to avoid HIPAA Social Security number compliance violations

HIPAA changes force healthcare to improve data flow

CVS pays $2.25 million HIPAA settlement

Is a lack of employee privacy a HIPAA violation?

Hacked dental school server compromises 300,000

What's the best strategy to catch up on HIPAA compliance quickly?

HIPAA Research

Enterprise Data Governance

Compliance in the cloud

Risk management must include physical-logical security convergence

Simple information security mistakes can cause data loss, says expert

Organizations struggle with data leakage prevention, rights management

Encryption in data management should never be ignored, expert says

Attackers cash in on fundamental data handling mistakes, Verizon finds

Data loss prevention benefits in the real world

Mass., Nev. data protection laws wrong, ineffective

Cybersecurity hearing highlights inadequacy of PCI DSS

Enforcing a vendor risk assessment to avoid outsourcing security risks

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

cut-and-paste attack (SearchSecurity.com)

data splitting (SearchSecurity.com)

deperimeterization (SearchSecurity.com)

Google hacking (SearchSecurity.com)

masquerade (SearchSecurity.com)

snooping (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

It's not a matter of "getting anyone in trouble," it's a matter of doing what you believe to be the right thing. Something about meeting at a local restaurant to "transfer files" seems fishy to me. I believe you are absolutely in the right to refuse such a request. It does sound like a HIPAA violation to transfer the records off premises and even more so to discuss the clients in a public place

Now the real question becomes: who do you "stand your ground with" and what do you do to document your actions? It's not clear to me where this order was coming from. Was it human resources, or was it just your supervisor? Who is in the group that will be receiving this information?

If HR personnel were not involved in this request, then your best bet is to go to them to clarify what the exit procedure is for your job. You can ask an innocent (or seemingly innocent anyway) question to make sure that a professional information hand-off takes place. You don't have to tip your hand that you've been asked to divulge this information in a public place.

In the event HR is involved and has approved this strange process, then first express some reservations about the policy in writing. Get a response back from the corporation in writing. At that point, you've done all you can do to cover your backside, so go to the restaurant and transfer the information.

There is also what I'll call a nuclear option. You could report the process to the Department of Health and Human Services or go to your clients (for whom you are managing the medical cases), tell them about the process and explain your discomfort with it. This basically throws everyone in the organization under the bus. It also will put you at odds with your former employer and could result in messy lawsuits. I don't think this is a good option, but it is an option.

For more information:

In this expert Q&A, Mike Rothman discusses if it is a violation of HIPAA to collect consumer Social Security numbers.

A case study reveals how merging networks helped one medical facility with HIPAA compliance requirements.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy