Dear Evil HR Lady,
Recently I was accused of a crime. I work for a laboratory, and I was accused of a Health Insurance Portability and Accountability Act violation. I was not guilty of violating HIPAA, but no one — not my immediate supervisor, who was not present when the “incident” occurred, not my director, not the supervisor who believes he “caught” me, nor anyone from HR — has ever had a conversation with me about this. No one has even asked me if I did what they think I did, which was supposedly to print out lab results for a co-worker.
My bonus was taken away, allegedly by HR (that’s what I was told), and I was made to sign a document that stated that this was a “final write-up” — I’d never been written up for anything before. When I asked if I could say anything to this kangaroo court, I was told, “No, You are lucky you still have a job. You can go back to work now.”
Does this sound like a “normal” procedure when accusing someone of a crime? A HIPAA violation IS a crime, and punishable as such. (By the way, I did double-check with a lawyer, and no, I did not violate HIPAA. Nor would I.) I lost my bonus, which I had worked for and was depending on, supposedly as part of my “punishment.” When I checked with our IT department head, he said there was “no way to prove or disprove what they had accused me of doing.”
I’m now looking for another job, but I carry a lot of anger and resentment against a company I used to love working for — I’ve been there for six years — but that I now can’t stand. That special feeling of dread hits me every time I think about going to work. My director, supervisor and even the evil supervisor who thinks he “caught” me all act as if nothing happened.
To read the answer (which includes a advice from Lawyer Donna Ballman), click here: I was falsely accused at work — now what?
I’m wondering also if there’s a backstory that helps explain this. Did you print out something that wasn’t a lab report for this co-worker? Did somebody else make such a printout? Is the person who got the printout saying anything?
It just seems slightly less weird to screw up handling something that did happen than make up something that didn’t.
I agree. That is slightly less weird. Overall, an example of a bad HR department. You should definitely interview the accused!
I was wondering the same thing about the other coworker that you ‘printed something out for’. And was this to be done of your own free will? or had they ‘asked’ you to do it for them? And if they supposedly asked you to do it & would have known it would be against the rules/law, are they themselves also getting reprimanded? So if you are able to have a conversation with your supervisor, I would be bringing this question up. In my opinion, if you are the only one to get reprimanded, and you do fall under a ‘protected’ status, then you might be able to bring this up to your advantage.
And if someone breaks the law, why not report it? I guess they have their reasons, but now you’re supposed to be greatful that you ‘still have a job’ but have to work in such an uncomfortable environment! I would be looking for a new job, asking about what might be said in a reference check, but also questioning details, and speaking further with the labour board/council (if one is available to you – I’m in Canada and they provide advocates/representatives for free to both employees and employers) to ensure that your reputation isn’t damaged by this if it doesn’t need to be.
I’m guessing reporting it would open up a whole can of worms that the lab doesn’t want to deal with.
Just curious, but if the co-worker asked for a report to be printed, was the lab report for the co-worker’s lab results? If so, is there really a HIPAA violation? The co-worker gave consent, even if verbally. It might be a violation of company policy, but is it a violation of HIPAA? Might not change the outcome, but it is a question.
The OP said he verified with a lawyer that it wasn’t a HIPAA violation, but it well could be a workplace rule violation.
Regardless of what it was or wasn’t, conducting an investigation without even speaking to the target is malpractice, IMHO.
I hate to say it, but this didn’t come out of the blue, and it sounds like you to talk to your compliance office about what they found.
HIPAA Privacy & Security Rules compliance requires that healthcare providers regularly monitor who is doing what in their IT systems. They have record of your user access being used to access a colleague’s record, and they haven’t been able to document a business need for you to do so.
Our employee confidentiality agreement requires each employee to acknowledge anything done under their user access is their responsibility. If they forget to log out and another person uses their access, or they give their credentials to another person and let the other person use the credentials, or any of about a hundred scenarios that I’ve seen, it is the user’s responsibility.
Most lawyers, unless they specialize in healthcare compliance activities, don’t understand what is and isn’t a violation of the HIPAA Privacy or Security Rule, or of the HITECH Act (a section of the ARRA in 2009 that extended the original 1996 legislation). And, many violations aren’t criminal conduct; they are civil violations that can be met with fines & monetary penalties. It takes some very specific actions to reach the level of criminal conduct under HIPAA & HITECH.
And even if it isn’t a violation of the law, it may have been a violation of the facility’s internal policies. We have that happen all the time, and the education process is constant, because we want people to do the right thing.
Whether or not you personally did the action, it sounds like there is record of the action occurring as having been done by you. Whether or not this is a violation of the law, be it criminal or civil, or just a policy violation, they have the right to say you committed them and have you go through an educational and/or disciplinary process.
At the same time, there is the right to know what you’ve been accussed of, and why they think so. We have the same rule for our staff who have user ID’s. If they fail to close off when they are done on their computer (some computers are shared) and someone happens to use your ID then you are the one responsible. And this could be a scenario here, who knows.
But, if I were to dicipline or fire an employee without giving a reason or details, and especially without investigating (following the guidelines of the Employment Standards Act), the employee can file a grievance with Employment Standards (aka: Labour Board) and it can come to bite the company (and me) in the butt! I know this isn’t how it is everywhere, but maybe it should be.