Lily works in a hospital human resources department and interviews a man with gaps in his employment that he explains as medically necessary. Lily asks a coworker to search for the applicant’s medical information to make sure he doesn’t have a medical issue that would compromise his ability to perform the job.
Is this a HIPAA violation?
A Yes, because medical information is private and can’t be accessed by employers
B Yes, because Lily should’ve asked her supervisor before accessing the records
C No, because the hospital system has a need to know the medical information
D No, because Lily needs the information to complete the applicant’s profile
The correct answer and explanation is :
The correct answer is: B. Yes, because Lily should’ve asked her supervisor before accessing the records.
Explanation (300 words):
In healthcare and related settings, accessing patient medical information is governed by strict privacy laws and ethical standards, such as those outlined in the Health Insurance Portability and Accountability Act (HIPAA) in the United States. These laws ensure that only individuals with a legitimate, job-related reason (a “need to know”) may access a patient’s personal health information (PHI).
In the scenario described, Lily accessed an applicant’s medical records. Even if Lily works at the hospital and has access to the system, having access does not automatically grant the right to view all information. The principle of minimum necessary use means that employees should only access the information essential for their duties—and only when they are authorized to do so.
If Lily believed there was a legitimate need to view the medical records (e.g., as part of a pre-employment health assessment), she was still required to follow protocol. This includes confirming with her supervisor or HR department that she had authorization to access those specific records. Failing to do so may result in a HIPAA violation, even if she had good intentions.
Option A is incorrect because while medical information is indeed private, the key issue here is unauthorized access, not just the employer relationship.
Option C is incorrect because “the hospital system has a need to know” is too vague—the system as a whole does not have rights; individuals within it do, based on their role.
Option D is also wrong because needing information to “complete a profile” is not sufficient unless that task is authorized and within the scope of Lily’s job responsibilities.
Therefore, Lily acted improperly, and the best answer is B.