Over the past few weeks, we have been exploring HIPAA, which has made its way back into the news. We have talked about how computer viruses and malware can be dangerous to PHI on your network and what to do when you think you have a breach. We are going to continue on our HIPAA Readiness journey by discussing how you as a pharmacy owner are responsible for what your employees commit a violation of HIPAA.
#3 Respondeat superior : The Sins of the Tech Shall Be Visited Upon the Pharmacy Owner (Violation of HIPAA)
What if Joe, your pharmacy tech, lets slip to his friends that “Jane Doe” was prescribed medication for a pretty embarrassing medical condition? That’s a clear violation of HIPAA, and if you hear about it, you’ll fire Joe. But, what if Jane hears about it and files a lawsuit? Will she sue Joe, or will she sue you? Who has the deeper pockets?
Respondeat superior is Latin for “let the master answer.” As a legal doctrine, Respondeat superior means that the employer can be held liable for illegal actions of employees that are done within the scope of their employment. Even though you have done nothing wrong, the law holds that you, “the master,” have a measure of control over your employee and may have to answer for his wrong doing. An employer takes on a certain amount of vicarious liability for employees. You are responsible for training your employees on how to do their jobs and what not to say or do.
There are conditions that must be met before employer liability will be imposed for the wrongful conduct of an employee. To be within “the scope of employment,” conduct must (1) be of the type the employee was hired to perform; (2) takeplace within the time and space limits authorized by the employer; and (3) be at least partly motivated by a purpose to serve the employer. Often, these questions are decided by a jury.
All pharmacies should have policies and procedures in place that clearly spell out the responsibility of employees not to disclose confidential or private medical or treatment information. Employee should be trained on your HIPAA Policies and Procedures and Employees should electronically acknowledge or sign a document stating that they’ve participated in your HIPAA Training. This training along with their job description should clearly lay out the scope of their duties and conduct that is inappropriate or illegal. If you do all you can to document your HIPAA compliance and employee training, Joe may, indeed, take the rap alone.
For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of the Specialists. Please visit the Blog for additional posts on compliance issues and what you need to know as a pharmacy owner.