We tell our employees that they may not speak to the media about our infection rates (including COVID-19 rates) or other caregiving or sensitive matters. This would include disclosing health information about specific residents. Yet, someone keeps leaking information out and the information does not always put us in a good light. Can we limit disclosures that breach our privacy policy? Also, can we take action against such employees? 

A healthcare provider can publish and enforce a privacy policy that protects sensitive information such as infection control or the infection of residents with the COVID-19 virus. This policy protects the healthcare provider, as potential residents may not move into a facility due to COVID-19 if they believe infection controls are not being followed. 

The fear of contracting the COVID-19 virus will adversely affect the census and could have dire negative financial consequences for the provider. Moreover, violations of the Health Insurance Portability and Accountability Act by disclosing medical conditions or information about specific residents is a violation of resident privacy protected by law.

Thus, the healthcare provider has the right to investigate any potential violations of its privacy policies. This would allow interviews of employees or any other reasonable investigation to determine who is violating the privacy policy or HIPAA. A healthcare provider can fire or otherwise discipline employees who violate the privacy policy or HIPAA.

You should apply the same punishment against all employees you can prove have violated the privacy policy or HIPAA. You should follow the advice of your legal counsel in the matters involving discipline or discharge of employees.