The investigator in the video said neither the facility nor the construction company working on the property are being cooperative. Do they need to answer questions to LE, or can the refuse because of HIPAA?
Looking at their website, it does appear that Sierra Tucson is a HIPAA-covered entity, but otherwise, I haven’t seen anything that independently confirms that it is:
Privacy Policy | Sierra Tucson
Are You a Covered Entity? - Centers for Medicare & Medicaid Services
Summary of the HIPAA Privacy Rule
As to the construction company, one of the factors seems to be whether or not they entered into what is called a business associate agreement with Sierra Tucson. I highly doubt that they did because:
“A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
[they use janitorial services as an example]
Generally, janitorial services that clean the offices or facilities of a
covered entity are not business associates because
the work they perform for covered entities does not involve the use or disclosure of protected health information, and any disclosure of protected health information to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented. Such disclosures are incidental and permitted by the HIPAA Privacy Rule. See
45 CFR 164.502(a)(1).“ (BBM)
243-Is a business associate contract required for inadvertent contact with protected health information
But even if there is no business associate contract, there is probably a confidential agrement in place, IMO.
For example, I found a “Contractor Safety Manual,” prepared specifically “for Construction Workers performing work at” a healthcare facility. It includes a “Confidentiality and Data Security Agreement” that each worker is asked to read and sign.
https://www.thechristhospital.com/Documents/About the Network/Supply Chain and Contractors/manual 7 2016 within facilities.pdf
Extremely frustrating situation, IMO.