Background:
- Company is a small healthcare tech startup (~500 employees)
- Recently, they signed a deal with a big pharma company that they were in no way staffed to handle. As a result, they conscripted the entire corporate/engineering staff into doing HIPAA work to try and keep up.
- Most of Engineering was already HIPAA trained due to PHI systems. All corp employees that weren't HIPAA trained got the basic click through 30 minute self training that engineering got. Although, after a fair number of them started doing this work.
- Bad company practices aside, there's a step in the process that requires users log into a 3rd party site that contains PHI. For whatever reason, there is only one account to access this site. So, since this has been going on, everyone has been hitting this site with a shared login (creds stored in a company wide access Google doc) 25+ times per day.
- Myself and a couple others quickly raised this issue as a HIPAA violation with leadership and legal. We were told they'd look into it and nothing further has happened for ~3 weeks.
- Since reporting it, myself and 2 team members who also reported it have refused to do the work on account of this illegal step.
- We are now being engaged by our department HR rep and being told that if we don't participate, it could mean bad reviews and no promotions.
- Initially, the work was framed as a request from leadership for assistance. That was never changed in writing. But they are now saying that it's a requirement as part of job function, regardless of role. Although, to the best of my understanding, no one above director level is participating in this work.
Deeper Background:
- The above is the latest issue. Prior to this new hell blowing up, I had been having leadership issues and had engaged HR about it over the summer. The responses I was getting inspired me to start documenting everything, including recording audio of zoom calls (I am in a single party consent state) and taking phone pictures of slack/email convos.
- Since myself and others started reporting these concerns, a couple of things happened. First, it seems to have triggered the company-wide re-training on HIPAA via the self guided training I mentioned. About half way through that training, it specifically calls out that shared logins are not to be used to access PHI. LOL The second thing that happened, is the company suddenly decided to switch from a “save everything forever” data retention approach to a “dump everything older than 30 days” approach. This was initially to apply to all systems everywhere. But, when issues were brought up with our ability to document problems and maintain operational documentation, this was walked back to communication/collaboration systems like slack/email/etc.
Clearly, there are some serious shenanigans involved. There is also the implication that the company lied to get this deal, as I doubt the partner company would have agreed to a deal that not only meant converting an entire corporate and IT engineering team into health care data entry workers but violating HIPAA hundreds of times per day in the process.
So, what am I not doing/considering that I should be, Reddit?