Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Can healthcare professionals share PHI from previous workplaces?

Picture of Kirsten Peremore Kirsten Peremore January 01, 2024

Patient privacy
Can healthcare professionals share PHI from previous workplaces?

In cases where a healthcare professional changes jobs, they must treat protected health information (PHI) from previous workplaces with the same level of confidentiality as they would at their current place of employment. Disclosing such information without proper authorization or necessity is prohibited and can have serious repercussions.

 

Does HIPAA apply to past employment?

HIPAA regulations continue to bind healthcare professionals regarding the handling of PHI from their previous employment. Even after a healthcare worker leaves a job, HIPAA's privacy and security rules mandate the continued protection of patient information they accessed or managed during their former employment.

 

Privacy rule compliance

The HIPAA Privacy Rule requires healthcare professionals to protect the confidentiality of PHI. This obligation doesn't end with a change in employment. When healthcare professionals move to a new job, they are still bound by the duty to keep any PHI they encountered at their previous workplace confidential. This means they cannot share or discuss this information with new colleagues, employers, or other parties unless the patient has given explicit permission or if the sharing is for legitimate treatment, payment, or healthcare operation purposes under HIPAA.

 

Information disposal

Suppose healthcare professionals possess any physical or electronic documents containing PHI from their previous employment. In that case, they are responsible for ensuring these are disposed of securely if no longer needed. This means following proper procedures for destroying or deleting PHI to prevent unauthorized access or breaches.

See also: HIPAA Compliant Email: The Definitive Guide

 

Circumstances for PHI disclosure

  • Continued patient care: If the healthcare professional continues to treat the same patient at a new workplace, they can share PHI for ongoing treatment. For instance, a physician who moves to a different clinic but continues to see the same patient may transfer relevant PHI to ensure continuity of care.
  • Patient consent: PHI can be shared if the patient has given explicit written consent. This consent must specify the information to be shared, the purpose of the disclosure, and to whom the information is to be disclosed.
  • Payment and healthcare operations: PHI can be disclosed for billing, healthcare operations, quality assessment, or accreditation purposes, provided these activities are related to the services previously rendered at the former workplace.
  • Public health activities: Disclosure is permitted for public health reasons, such as reporting communicable diseases, work-related injuries, or other public health surveillance activities.
  • Legal requirements: Healthcare professionals may disclose PHI if required by law, such as for compliance with court orders, subpoenas or to assist law enforcement in specific circumstances.
  • To avert a serious threat: If the disclosure is necessary to prevent a serious and imminent threat to public safety or an individual's health, PHI may be shared consistent with ethical standards and other legal requirements.
  • Research: PHI can be used for research purposes under certain conditions, such as when an Institutional Review Board has waived the requirement for individual authorization.

See also: HIPAA and workplace wellness programs

 

Role of healthcare institutions

To prevent unauthorized sharing of PHI by former staff, these institutions must take proactive steps. 

  • Conduct exit interviews emphasizing the ongoing confidentiality obligations. This goes along with the access to electronic health records (EHRs) and other systems containing PHI being immediately revoked upon an employee’s departure. 
  • Require employees to sign agreements reinforcing PHI's confidentiality even after leaving the institution. 
  • Hold regular training sessions during employment about data privacy and the legal consequences of violating HIPAA rules can serve to instill a lasting sense of responsibility. 
  • Monitor and audit systems to detect any unauthorized access or sharing of PHI, even after an employee has left. 

See also: How to train healthcare staff on HIPAA compliance

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.