How strict is HIPAA on its rules in terms of compliance?
A friend reports to a non-clinician friend that she is aware of a child who is engaging in self harming behavior. The non-clinician friend accesses her agency's data base to determine if the self-harming child is a client and if so who the clinician is.
The non clinician has access to the same data base but for non-clinical reasons as part of her job.
Now it appears by doing so a HIPAA rule has been violated. So what takes precedence: strictly following a HIPAA rule which may not have been known or ensuring the safety of the child? All agree what was done is morally right to ensure no further harm comes to the child. But it appears HIPAA has a different view.
HIPAA violations are fact intensive. As a result, neither I nor any other attorney can provide an opinion without an intensive fact analysis.
HIPAA (and HITECH) is generally enforced with zero tolerance by the Department of Justice and the Office of Civil Rights and can result in extremely costly penalties. (over 1MM in some cases)
Whether a HIPAA violation occurred currently depends on:
- Source and type of information (for example, medical record or Protected Health Information (PHI))
- Whether disclosure was permitted
Covered entities may report protected information to authorized law enforcement under some circumstances.
[Information can be disclosed] to a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public (45 CFR 164.512(j)(1)(i))
In the scenario you describe, it is unclear whether the information was protected, and it is unclear to whom the information was disclosed.