2

I am a compliance associate at my company, which is a small call center. My problem is that two of our clients will have to share floor space. One client is tech support for high-end action cameras, while the other is a healthcare account that deals with ePHI.

My concern is that the setup is not HIPAA-compliant. The tech support client requires their equipment to be on the floor so that agents can replicate customer problems. I am worried that a breach might occur if one of the agents from the tech support team takes a picture with their equipment and accidentally captures an image with electronic protected health information (ePHI) from the healthcare team.

I brought this up with my superiors, but they seem to think that granting an exemption to the tech support equipment is enough to remain HIPAA compliant. For me, an exemption is just a piece of paper - it doesn't change the fact that there are unsecured cameras on the floor which could capture ePHI at any moment.

Can any HIPAA experts help out? I need facts to back up my concern. Or, if I'm wrong, at least my mind will be put at ease.Thanks in advance, everyone. Cheers!

To answer @john deters questions:

  1. I report to a compliance officer, our department reports to the CEO. Our department can make suggestions, which needs approval from the executive committee (excom) before they are deployed.
  2. We recently hired an external auditor for HIPAA compliance, and we passed the audit. Rather than consult with them, I want to resolve my concern internally because I don't want to make a big fuss out of this until I am certain that it is indeed a HIPAA breach or a potential one.
  3. I want to be proactive, rather than wait for a breach to occur. I really do not want those two teams to share floor space for fear of a breach occurring. If I have facts or references to back up my claim, excom will be forced to move the healthcare team to another floor.
Dadfia
  • 23
  • 3
  • 2
    can you turn the desk around? – dandavis Aug 17 '16 at 22:15
  • Thank you for the quick response! No, we won't be able to move desks around as they are fixed. The desks are long tables with around 10-14 computers, 5-7 units on each long side, with a two-foot partition separating the two long sides. The healthcare team is on a separate long table, but the tech support team could still see the healthcare monitors if they stand up. – Dadfia Aug 17 '16 at 23:08
  • there are filters that obscure monitors; blocking off-sides (like border-crossing terminals), or needing special glasses. These are not 100%, but they might ease your concern and let you act more responsibly. might lay the monitors down slightly tilted on the desk (newscaster style) to make it harder to see over the "wall" – dandavis Aug 17 '16 at 23:12
  • Thanks again for your ideas and taking the time to help me solve this, @dandavis. I could suggest that to my superiors. However, I'm not entirely sure that this solution would be HIPAA compliant. Based on my understanding of HIPAA technical safeguards, electronic devices are allowed in the work area as long as they are password-protectable, encryptable, and remotely eraseable. A standalone camera would not meet those requirements since it saves directly to an unencrypted memory card. – Dadfia Aug 17 '16 at 23:26
  • I don't know what a "compliance associate's" responsibilities are, so it's hard to answer without knowing who you answer to. Has your company hired an auditor to validate compliance? If so, ask them, else ask your corporate lawyer. If you're a front line support guy without the authority to make changes, you'll have to trust that your supervisors have done the right thing, because you won't be able to do anything about it. If you ever do observe the camera people testing in the direction of ePHI screens, bring that to your supervisor's attention. – John Deters Aug 18 '16 at 19:11
  • Hi, @JohnDeters, I edited my question in response to your comments. Thank you! – Dadfia Aug 18 '16 at 20:46
  • Seems like the easiest solution would be to require HIPAA training and a NDA for the tech support client. Or just some wall panels or cubical walls. – cde Jul 13 '17 at 16:28

1 Answers1

-1

It's a HIPAA violation if the tech support team can even see the monitor screens. The cameras make it even worse.

What makes it worse is that they are separate companies using a shared work space. I think auditors would have a field day with this situation.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Greg
  • 16
  • 1
    Can you provide more context here or explain your source for this assertion? – schroeder Aug 18 '16 at 17:58
  • Yes, please. I need facts or references to back this up. Thanks in advance! – Dadfia Aug 18 '16 at 19:20
  • Thank you, I guess the link answers my question. "Minimum necessary" is what I've been using as my defense, I just thought that there would be something more concrete or explicit. – Dadfia Aug 18 '16 at 23:05