Security Q&A: Recycling electronic devices, medical scribes, and HR disclosing PHI

Q. Is a hospital’s human resources (HR) department covered by HIPAA? I work at a hospital and suspect that someone in our HR department disclosed medical information about an injury I sustained at a previous job. Is this a HIPAA violation?

A. If an employee in the HR department discloses medical information that the hospital maintains as HR information (as opposed to patient record information), the incident could be a policy violation if the disclosure was not for a bona fide HR-related activity such as loss prevention. Depending on the situation, the disclosure might also be a breach under state law. However, it would not be a HIPAA violation. For example, if you’re required to provide medical information following family medical leave, the information you provide to HR would not be considered PHI. It would be considered personally identifiable information, though. When acting as an employer, a covered entity (CE) or a BA is not conducting what HIPAA defines as covered activities.

Editor’s note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.