HIPAA Isn’t Brain Surgery

The other day I noticed that one of my (very competent) colleagues out on the WWW advised that you have a “deep understanding of HIPAA” when advertising his HIPAA training.  I have no doubt that his training is probably stellar.

 

But, trust me, as a Privacy Officer for the past six years I can tell you that you do not need a deep understanding of HIPAA.    

 

What you need is to find and rely on those who DO have a solid, boots-on-the-ground understanding of all the major and minor pieces, as well as all of the nuances of the HIPAA privacy rules, and can assist you on an as-needed basis. 

 

Let’s say that you’re a practice manager, and you’ve been served with a subpoena for copies of the records of one of your patients.  Did you know that you are required by the HIPAA Privacy Rules, to ensure that whoever signed the subpoena has made all other parties aware of the subpoena and provided them with an opportunity to object?  That’s one of the nuances of HIPAA.  And I’ll bet it wasn’t included in that 30-minute training some consultant, with little or no healthcare or compliance experience, sold you.

 

Did you pay $100s for HIPAA training?  Bought some of those “official HIPAA forms” (no such thing, by the way)?  Did you buy a copier from some company who claimed that their copier (and faxes, and scanners, etc.) were “HIPAA compliant”?  Oops, sorry, there’s no such thing as a “HIPAA-compliant” copier.  (Believe me, you’re not alone — lots of money has been made using the “HIPAA compliant!” label. . .)

 

If paying all that money for HIPAA training had been enough to keep practices from complaints, then there wouldn’t be 41,000+ complaints filed with HHS in five-plus years. 

 

That your practice may not have had any complaints doesn’t tell me whether your staff understands their roles regarding HIPAA; it just tells me that your patients don’t know their rights.  Yet.  But that’s changing.  HHS is now getting hundreds more complaints every month.

 

I’ve been the Privacy Officer responsible for implementation and compliance with the HIPAA Privacy & Security Rules for a large healthcare system for the past six years: 300 beds, 1.5M clinic visits per year, and 6,000+ employees.  THAT’S what gives me a very solid understanding of all the major and minor pieces, not to mention the nuances, of HIPAA Privacy & Security.  The proof is in the pudding — in the past 12 months we’ve had 17 privacy complaints; ten of them were without merit.  Not too shabby.

 

I’m setting up a HIPAA Privacy & Security practice.  I’ll be offering information based on real experience, with real complaints, and real solutions.  And I’ll be steering you away from almost anything claiming that it’s “HIPAA compliant.”  When it comes to Privacy & Security compliance, most of it relies on the behavior of your staff, and the rest just isn’t that hard.

 

Keep me in mind.

 

I blog regularly about HIPAA issues.  If you have a question about either the privacy or security rules, or if you’re having a problem with one of your providers (or one of your patients), email me directly at hipaadiva@yahoo.com.  It would be my pleasure to help you.

Why – You Look Like You Need an Authorization!

Nothing personal, but you really do need an authorization. An authorization signed by you, that can be used by your family members, significant others, and close friends in the event that something happens to you and you are either unconscious, or a physician has declared you to be not competent to make decisions about your care, can be a very handy little item to have.

And not just any old authorization, either. You need one that has all the elements required by the HIPAA Privacy Rules.

Just like me, you probably are relatively healthy, maybe a little high cholesterol and a little too much padding, but really, you’re okay. So you’re thinking no, you really don’t need to carry around an authorization. Umm, yes, you do. And here’s why.

What if you get hit by a bus on the way home tonight? Highly unlikely, and certainly we don’t want this to happen, but stay with me on this. You get hit by a bus, you’re taken to the best Emergency Department in the area, and your husband is called. He comes to the ED, and starts to ask questions about you: how are you, can he see you, what is happening or going to happen to you, etc.

Now, let’s say at this hospital the staff have been trained with respect to the HIPAA Privacy Rules. But, they’ve been badly trained. They think that they can’t talk to your husband about you, because that would be “against HIPAA.”

Or, worse, the staff have been well-trained in the HIPAA Privacy Rules but they just don’t feel like dealing with your husband, so they tell him that they can’t talk to him about you, once again because that would be “against HIPAA” and a violation of your privacy.

Think it can’t happen to you? I sincerely hope it doesn’t. But, it’s in your best interest, and that of your family, too, for you and all adult members of your family to have an authorization on hand that can be used in the event that you are unable to make a decision about your healthcare.

The HIPAA Privacy Rules have some very specific requirements regarding what needs to be included in a valid authorization – one that will be honored by that hospital or any of your healthcare providers, insurance companies, etc. Let’s go through them.

Per the HIPAA Privacy Rules (see 45 CFR 164.508[c][1]-[3]), the authorization must include all of the following items:

1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion: what stuff can your healthcare provider disclose to whoever you’ve named in the authorization?

2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure: that would be you.

3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure: that would be your family members, next of kin, significant other(s), close friends, etc. – who can the hospital or healthcare provider disclose your healthcare information to? (Be sure to include your name here. Trust me.)

4. A description of each purpose of the requested use or disclosure: the statement “at my request” is a sufficient description of the purpose when you initiate the authorization and do not, or elect not to, provide an additional statement of the purpose: either state “at my request” (or similar verbiage), or spell out in plain language the reason why you are authorizing healthcare information about you to be disclosed.

5. An expiration date or an expiration event that relates to (you) or the purpose of the use or disclosure: the statement “end of the research study,” “none,” “December 31, 2010” or all similar language is okay.

6. Your signature and the date. (Note: If the authorization is signed by a personal representative of the individual [for example, by a parent or guardian of a minor], include a description of the representative’s authority to act for the individual.)

7. A statement regarding your right to revoke the authorization in writing.

8. The exceptions to the right to revoke and a description of how you may revoke the authorization.

9. A statement that the covered entity (healthcare provider, hospital, etc.) may not condition treatment, payment, enrollment or eligibility for benefits on whether you sign the authorization: this means they cannot refuse to treat you just because you didn’t sign an authorization (not useful for you in most situations, but nonetheless a requirement).

10. The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected by this subpart: this means that you agree that if the hospital, for example, discloses information about you to your significant other – then the hospital is not responsible if your significant other subsequently discloses your information (gossips) to someone else.

11. The authorization must be written in plain language. Yeah.

Here are my recommendations: all adult members of your family, your significant others, and/or close friends, attorney, etc., should have a copy of your authorization for them to obtain healthcare information about you in the event that you are incapacitated, or incompetent, or even just to pick up your latest prescription. And, just as important, you should encourage them to have authorizations, too, with the names of all the individuals they would like to be able to obtain healthcare information about them in the event that they become incapacitated or incompetent, etc.

An authorization DOES NOT replace a medical power of attorney – you should ensure that all adult members of your family have a signed medical power of attorney prepared by a competent attorney in your state.

But, for situations in which a person may be unconscious or otherwise temporarily unable to authorize a disclosure of their current health situation to another family member or friend, having an authorization in your pocket of purse can save everyone a lot of stress and upset.

If you would like a copy of a HIPAA-proof blank authorization that you can use, email me at hipaadiva@yahoo.com, and I’ll send you one, for free. This offer is only valid until I get my website online; when it’s ready to go then I’ll be offering these authorizations for a fee.

I blog here fairly regularly on all subjects related to patient privacy, the HIPAA Privacy & Security Rules, patient advocacy, etc. I invite you to send me any questions you may have about your medical records, healthcare privacy rights, etc., to hipaadiva@yahoo.com.

If you happen to be a nurse or nursing student, check out cathylwhite.wordpress.com for information about legal issues affecting nurses.

$100,000 HIPAA Fine – Way Too Little, and Way Too Late

After more than five – FIVE – years of the HIPAA rules, and bazillions of small private practices of doctors, dentists, chiropractors, optometrists, shrinks, etc., NOT being compliant with the rules, and bazillions more patients who have no clue what their HIPAA healthcare privacy rights are, HHS finally got off their heinie and fined a hospital system in Washington State because it kept leaving those pesky laptops lying around, getting stolen, and not doing anything about it.  More than 386,000 patients’ healthcare information was lost on those laptops.  (Note to self — isn’t almost every loss of patient information lately been due to the loss of a laptop?  Must investigate why hospitals let members of their workforce walk out the door with laptops full of patient data. . .)

But wait – what’s that you say?!  It’s not a fine??  Why, by gosh and by golly, you’re right.  HHS has declined to call this a “fine” – they’re calling it a Resolution Amount.  Oh.  Yeah, that makes it all better.

Here’s how HHS describes it: “In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss. The Resolution Agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006. . .

“On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, alerted patients to the theft. Providence also reported the stolen media to HHS. OCR and CMS together focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.

“As a result, Providence agrees to pay a $100,000 resolution amount to HHS and implement a robust Corrective Action Plan that requires: revising its policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; training workforce members on the safeguards; conducting audits and site visits of facilities; and submitting compliance reports to HHS for a period of three years.”

After pulling up the handy calculator that Microsoft ^® XP ^® so nicely provides, I’ve calculated that each patient’s healthcare info was worth, let’s see, 100,000 divided by 386,000 =  about .259; which is 25.9¢.  Is that right?  Let’s check: (.259)(386000) = 99,974.  Okay, close enough. 

What this means is, if you were one of those folks whose healthcare information was stolen because Seattle-based Providence Health & Services couldn’t get its act together over a more than two-year period and ENCRYPT the data contained on the laptops, tapes, etc., or even PREVENT them from being stolen in the first place (GPS locator, anyone?  Sheesh, even my cell phone has one.), your healthcare info was worth a measly 25.9¢. 

All I can say is: wow.

Whether you’re a Democrat or a Republican or a Libertarian, or a Green, or an Independent, etc., a radical change in leadership at the level of the Cabinet position of Secretary of Health & Human Services (HHS) is called for.  You and your family’s health information has got to be worth more than a little over a quarter.  Really.

So, think carefully and VOTE.

I blog regularly about the HIPAA Privacy & Security Rules.  If you’ve got a question about the privacy of your healthcare records, email me at hipaadiva@yahoo.com.  I would be happy to help you if I can.

 

PHRs? No, No, NO

They’re not quite here yet, but they’re coming.  PHRs.  Personal Health Records.  And they sound like the greatest thing since the proverbial sliced bread. 

You’ll love them, until you don’t.

You probably think your medical record is yours.  You probably believe that all the information contained in all the records maintained by all the docs, dentists, shrinks, chiropractors, etc., that you’ve ever been treated by, belong to you.  All those other people are just keeping your records for “safekeeping.”  But really, if you wanted them, you could have them.  After all, they’re about you, right?

So along comes a nice web-based company, a big one, one you’ve heard of and boy, are they legit.  You trust them.  They wouldn’t be that big and have such a huge Internet presence if they weren’t on the up and up, right?

And this nice big company has a new service: a Personal Health Record, a PHR.  For a modest fee, you can arrange to have your docs, and dentists, and shrinks, and all the rest of them, download your health records into the PHR.  Now all your information is yours, all yours, right?

Or, maybe your employer has arranged for all its employees to store their health records, and those of their families, in a PHR.  Free!  You won’t pay a dime!  

Not so fast.

Let’s take a look at all the pros (very short list) and all the cons (very long list) of the fabulous new internet-based PHR. 

Oh, wait, actually there are no pros, only a lot of cons.

1.  Physical and electronic safety and security

First, it’s possible that something could happen to the computer where your PHR is stored.  Fires, hurricanes, tornados, and other disasters really do happen; so do mistakes in server rooms (the secure places where the computers live) when the fire alarm system malfunctions and sprays all the servers with water or halon or whatever they use in server rooms.  Oh, well.  Stuff happens. 

But the company that is storing your PHR probably has a disaster recovery plan.  Well, you hope they do, anyway.  You also hope that they perform daily backups (make copies of the data), and store the backups of your information on a server at a separate location.  And, even more, you hope that they test their backup and recovery routines – and make sure that if there is a disaster and they have to download a copy of your PHR from that other location, the new downloaded copy really works.  Because if it doesn’t, well, too bad about your PHR, it’s gone.

And, of course, you hope that your PHR company, because they’re such a giant, well-known organization, has a terrific Internet Security Policy, and a practically impenetrable firewall around their servers so that no hackers can electronically access your PHR without authorization.  Well, you hope the firewall is strong, but really, even the federal government’s computers are sometimes hacked, and they have the best security of all.  And there have been hundreds of breaches of servers that hold consumer information; just use google to look up “privacy breaches” and see what you get.  My personal favorite for this kind of information is www.pogowasright.org.

But what if the worst happens, and your kid’s personal health information is breached and stolen from the family PHR.  Does the PHR company owe you anything beyond a notification and an apology?  What’s in the fine print in that contract you signed with them?  Your kid may suffer legitimate damages – her credit may be scarred even though she’s only eight years old, but you’re going to have to clean it up so that it doesn’t affect her ability to get student loans in about ten years.  Can you sue the PHR on behalf of your child and recover damages?  Just what did that pesky fine print say about all that?

Let’s make it even worse – what if the PHR is being paid for by your employer?  What if you never even saw the fine print, because the contract is between the PHR and your company?  Who is going to make your daughter’s credit whole again?  If you get a “too bad, so sad” comment from the PHR company or your employer, who do you sue?  Both of them, neither of them?

Or, how about this scenario: what happens if your kids get hold of the password to your PHR?  Let’s say your tweener tries to log on to your PHR, but can’t get past the password.  He clicks “Forgot Your Password?”  And then he goes to your email account and gets the instructions to set a new password.  He sets the new password, and then trolls through the PHR.  The next time you log onto the PHR, you enter your password but it doesn’t work, so you think nothing about it other than you just don’t remember the password.

Oh, yeah, and then there’s the PHR’s Privacy Policy.   

There is no federal requirement that a PHR tell you should they change their privacy policies.  Do you read the privacy policies that your bank, and your credit card companies send every year?  Thought not.  Do you think you’ll read your PHR’s privacy notice each year?  Probably not.

Believe it or not (and I know how hard this is for some of you to believe), your health records are a lot more secure in your various providers’ offices than they are in an online storage scheme like a Personal Health Record.  Your providers are required to protect your records, and they have a lot of incentives to do so.  A for-profit company doesn’t have those same requirements.

2.  What if some information in your PHR is wrong?

Let’s say that recently you were treated for a minor condition at one of your health providers, and you’ve downloaded a copy of your health record from your PHR to review the information about your latest problem.  But there’s a mistake.  Instead of a note about your case of hives, you see a note about your ongoing recovery from your recent hip replacement. 

What?!

Nope, nothing about your recent issues with urticaria (those pesky hives), but lots of info about the hip replacement, your upcoming physical therapy, blah blah blah.

Did your provider accidentally upload another patient’s health information?  Or did the PHR system have a bug and upload the correct information to the wrong internal file?  Who made the mistake?  Who do you call?  If you call your provider, will his office manager insist that they did not make the mistake?  If you call the PHR, will they insist that your provider did indeed make the mistake?  They said, they said.  Where will that leave you?  How many hours will you have to spend on hold, waiting for a representative to talk with you about this problem?

And what about the other patient?  Who is going to inform them of the very clear privacy breach that occurred?

The HIPAA Privacy Rules have a process that the provider must follow whenever you obtain a copy of your health records and find an error.  But the PHR doesn’t have to follow the HIPAA Privacy Rules.  You’ll probably have to follow your PHR’s rules, whatever they are.  Whether they will help you or not is just unknown at this point.

I know of a patient who thought that he’d be able to get greater benefits from his employer if he was diagnosed with a serious mental health condition.  He filed a request to have his medical record amended to include a diagnosis of schizophrenia.  He claimed that during a visit to an ER at some point in the past, someone in the ER asked him if he’d ever been diagnosed with schizophrenia.  A review of his records for that ER visit revealed that no such question had ever been raised, nor was there any evidence in his records that he’d ever been evaluated for or diagnosed with that disease.  His request for the amendment to the record was, of course, denied.

But what if that same patient had a PHR, and had the ability to amend his health records himself?  What if his record suddenly showed a diagnosis of schizophrenia?  What if he were now able to obtain federal or state benefits?  Probably wouldn’t happen, because in this extreme case he would be examined by other providers to determine whether or not he did suffer from schizophrenia prior to treatment.  But what about someone else, who puts a far less serious diagnosis in their PHR?  These things can all be checked and verified, but how much extra time and effort will have to be taken?  And when these kinds of things become more common than not, will health providers even trust PHRs? 

3.  Who will be able to get a copy of your PHR?  And, will they tell you when they do?

Right now, there are a number of instances in which your health provider may give a copy of your records to a third party without your prior authorization.  But in all of those instances the provider is required to keep a record of those disclosures, and you can see the record of those disclosures any time you want – requesting an “accounting of disclosures” from your providers is one of the specific rights that the HIPAA Privacy Rules give you.

But PHRs are not required to follow the HIPAA Privacy Rules, and they don’t necessarily have to tell you when they share or disclose your health records with a third party. 

Let’s say your PHR company accepts advertising.  You’re looking at your records online, and up comes an ad for a cholesterol lowering drug.  Makes sense, right?  After all, you’re in your 40s, and your cholesterol is a little high. 

What?!  How is it possible that an ad for a statin drug just happened to pop up when you’re online? 

It happened because your PHR shared your health information with their advertisers.  No one told you that your health information would be shared, if not outright sold, for marketing purposes.  Must have been something about it in the fine print of that contract you forgot to read (or your employer forgot to give you a copy of). 

The HIPAA Privacy Rules prohibit the disclosure or sale of your health information for marketing purposes without your written authorization.  But PHRs are not required to follow the HIPAA Privacy Rules.  You think all those ads on TV for Viagra® and other medications are annoying?  Just wait till they follow you online and become personalized.  As far as the advertising partners of your PHR are concerned, you’re not a patient, you’re a consumer.   

And then there are the cases where you believe that a health provider made a mistake with your care or treatment, and you believe you are entitled to damages.  Can opposing counsel get a copy of your records without your even knowing about it?  Maybe.  Depends on your PHR, of course, and their policies. 

Or, maybe you were accused of, say, a DUI.  In most cases the courts require that a subpoena be utilized in order to obtain your records.  Okay.  Under the HIPAA Privacy Rules you have a right to know when your records are being obtained by the use of a subpoena.  But your PHR doesn’t come under the HIPAA Privacy Rules, hence you may never know that your records have been subpoenaed and your attorney will not have the opportunity to contest the subpoena.  Not so great.

There are other questions to consider, too.  If the PHR is owned by your employer, will they snoop?  If the PHR is owned by your insurance company, will they snoop?  What happens if your PHR is privately owned (you pay them a fee to store your records), and is subsequently sold to an overseas company?  Will they care about American privacy laws?  I could come up with lots of other what ifs.  You probably can, too.

Mr. Robert Gellman is very helpful in his white paper for the World Privacy Forum, Personal Health Records: Why Many PHRs Threaten Privacy⁽¹⁾, with the following tidbit:

 

“A 2007 study of PHR privacy policies conducted for the Department of Health and Human Services found that only 3 percent, or one in 30, of PHR privacy policies state that explicit consumer consent (is) necessary prior to the vendor sharing any of the data in the PHR.”⁽²⁾

Three percent, huh?  Not so great.

4.  Who really owns the health information in your PHR?

What if your employer owns your PHR?  Does this mean that Human Resources can learn whether you’re a diabetic, morbidly obese, or a smoker, and subsequently raise your health insurance rates, or make weight loss a condition of your continued employment? 

What happens to your health data when you move on to another job?  What if your new employer doesn’t have a PHR?  Will you have to pay for a private PHR?  Or will your data just be erased – and what proof will you have that your health information was really “erased”?

What if your insurance company owns the company that stores your PHR?  No authorizations needed here – the insurance company will have instant access to everything about you.  And so will every other insurance company.  What happens when your new employer offers you health insurance from the company that owned your PHR at your last company?  And what happens if they refuse to insure you based on information they’ve gathered, without your consent or knowledge? 

Not so great.

5.  Provider-Patient Confidentiality

Questions about provider-patient confidentiality are not rhetorical.  Will that confidentiality exist, in a legal sense, when you or your provider upload your health information to a commercial PHR? 

Mr. Gellman makes a great point about this in Personal Health Records: Why Many PHRs Threaten Privacy: “. . . it seems certain that a prosecutor or another person who wants a consumer’s health record will argue that the consumer” – that’s YOU – “waived any privilege by sharing the record with a third party.  A court is likely to agree that the patient waived the privilege by consenting to the disclosure (to the third party).”

 

Once again, you’re just another consumer, no longer a patient.  And your provider-patient confidentiality rights may fly right out the window the first time you utilize a PHR.

*  *  *

Look, HIPAA may not be the most robust protection for health information, but it’s better than nothing.  Trusting your health information to a PHR means that you’ve got nothing – no federal, and probably no state, health privacy protection laws.  Sure, maybe the FTC might get involved in a dispute, but what do they know about health privacy?

At some point you’re going to be approached about utilizing a PHR.  It may be free, or it may be one that you pay for.  It may be sponsored by your employer, or by some other third party.  When that time comes, here’s my advice: Just say NO.  Once you open your most private information, and that of your children, to a commercial enterprise, that genie will be out of the bottle, and you and your family may suffer greatly as a result.

1. Original publication February 20, 2008 at http://www.worldprivacyforum.org. Document URL: http://www.worldprivacyforum.org/pdf/WPF_PHR_02_20_2008fs.pdf.  Also, see: 

www.bobgellman.com

2. See R. Lecker at al, Review of Personal Health Record (PHR) Service Provider Market, Jan 5 2007, www.hhs.gov/healthit/ahic/materials/01_07/ce/PrivacyReview.pdf ).

It Could Happen to You — A Call to Arms

On August 1, I wrote about how Big Brother may not be just the government, but, surprisingly, also your friendly pharmacist.  The Business Week article that I was referring to (http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm) talked about how someone can be turned down for health insurance because the pharmacies they’ve used in the past have sent their pharmacy information to Pharmacy Benefit Managers (PBMs), who in turn sell the information to third parties, who sell the information to health insurance companies, who then deny health coverage. 

Sweet, huh?  For the health insurance companies, anyway.  But not for you.  Or your family.

And the road from the pharmacy to the PBM to the third party is all done without your authorization.  Which seems kind of funny to me, because pharmacies are HIPAA “covered entities”, and they need to have your authorization to share your protected health information, except in very specific circumstances.

Now, the HIPAA Privacy Rules allow an entity called a “Business Associate” to do business with a covered entity such as a pharmacy.  In such cases, the pharmacy, as the covered entity, must execute what’s called a “Business Associate Agreement” with the business associate, and part of the agreement allows the covered entity to share identifiable protected health information so that the business associate can do all kinds of things, under contract, to the covered entity — in this case, the pharmacy.

Okay.  So far we have a covered entity, the pharmacy.  And we have a business associate of the pharmacy, the PBM, pharmacy benefit manager.  Why would the pharmacy contract with a PBM? 

Because PBMs do all kinds of useful things that they can probably do a lot less expensively than the pharmacy.  Wikipedia says this about PBMs: PBMs are “. . . third party administrator(s) of prescription drug programs. They are primarily responsible for processing and paying prescription drug claims. They also are responsible for developing and maintaining the formulary, contracting with pharmacies, and negotiating discounts and rebates with drug manufacturers.  Due to their larger purchasing pool for prescription drugs, PBMs can negotiate rebates and discounts on behalf of their clients.”

I think we can agree that PBMs provide very useful services to pharmacies, right?  Good.

The problem comes along when the PBM sells your identified protected health information to yet a third party, for a profit.

I have a problem with that, a huge problem. 

The HIPAA Privacy Rules don’t allow your identifiable protected health information to be sold without your authorization. 

When was the last time your pharmacy asked your permission to sell your protected health information, or the protected health information of your children?  Gosh, I don’t remember ever being asked by a pharmacy to do such a thing with my protected health information. . . 

So I’m asking for your support: I’d like you to send an email to Health & Human Services and ask them the following questions:

1.  Is a pharmacy a HIPAA covered entity?

2.  Is a Pharmacy Benefit Manager a business associate of a pharmacy?

3.  Can a business associate of a HIPAA-covered entity sell identifiable protected health information to a third party — for a profit — without the patient’s authorization?

Folks, the FTC has looked into this and not seen a problem with the practice of PBMs selling your identifiable protected health information.  But they are not responsible for the HIPAA Privacy Rules, Health & Human Services is.

So, please — send an email to OCRPrivacy@hhs.gov and ask them the above questions.  The more people who ask, the more they’ll pay attention and look at this very serious problem.

If you think this couldn’t really be an important issue, then I’d like to introduce you to Mr. Walter Shelton and his wife, Paula, who were denied health insurance because pharmacies they’d used in the past — WalMart and Randall’s (part of Safeway) — sent their identifiable protected health information to a PBM, who, without their authorization, sold it to a company called Med Point.  Med Point put together a pharmacy profile on them and sold it, along with the Shelton’s names, for $15 to Humana.  And then Humana rejected their insurance application because of the use of a couple of very minor medications that many of us may need to use at one time or other.

Have Humana?  How about Aetna?  Blue Cross/Blue Shield?  UnitedHealth Group?  Some other health insurance?  Do you ever get your prescriptions filled at WalMart?  Safeway?  Randalls?  Then yes, it COULD happen to you, when they sell information about you to Med Point or their competitor, IntelliScript, for just $15.

Please everyone, a quick email to OCRPrivacy@hhs.gov — remember, it’s Health & Human Services (HHS) that administers the federal medical privacy laws and rules — and ask them:

1.  Is a pharmacy a HIPAA covered entity?

2.  Is a Pharmacy Benefit Manager a business associate of a pharmacy?

3.  Can a business associate of a HIPAA-covered entity sell identifiable protected health information to a third party — for a profit — without the patient’s authorization?

Mr. Shelton has already sent his email to HHS, will you send one, too?  Just takes a minute.

THANK YOU!!!

I blog regularly on medical privacy issues, medical records, HIPAA, and other related issues.  If you have any questions about your medical privacy, your ability to get copies of your medical records, privacy problems with your doctors, dentists, chiropractors, psychologists, etc., please send me an email at hipaadiva@yahoo.com — I would be honored to help.

You Took Your Injured Friend to the ED. He’s Unconscious. He Has No Relatives. His Doctors Won’t Tell You Anything. What Can You Do?

This is one of the most heart-wrenching situations that I hear about: a person brings their friend to the ED, because the friend is very sick or injured.  The ED is treating the friend, but for a period of time the friend is unconscious.  You inquire about your friend’s status.  The staff says, “We can’t tell you anything because of HIPAA.”  Or, “We can’t tell you anything because of privacy.”  Or some variation on the theme.

Frustrating and very upsetting, no?

Even more frustrating is that it’s NOT TRUE.

That’s right.   The HIPAA Privacy Rules specifically allow healthcare providers to give limited information about a person to the person’s friend or family members if, in the best judgment of the providers, such a disclosure would be in the best interest of the patient.

Well, geez, I’m thinking that it’s definitely in the best interest of your unconscious friend for the doc to let you know what’s going on, or at least what to expect.  What do they think — that you’re going to use the fact that your friend is suffering from, say, a bad concussion, to steal the friend’s identity and go on a spending spree with his credit cards?  Come on, get REAL.

Here’s what Health & Human Services — remember, they’re the ones that administer and are responsible for the HIPAA Privacy Rules — says about the subject — and I’m copying this straight from their website (http://www.hhs.gov/hipaafaq/notice/488.html)!

Here ya go —

“Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

“Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care.

“If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object.

“The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

“A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.

“A hospital may discuss a patient’s payment options with her adult daughter.

“A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.

“A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

“Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). Thus, for example:

“A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.

“A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone. 

“In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.”

How about THAT! 

Sometimes I think that the excuse “We can’t do X-Y-Z because of HIPAA” is just that — an excuse that a lazy healthcare provider or administrative staff uses to get them out of doing their job.  Sounds official, though, doesn’t it?  “Can’t do it because of the HIPAA LAW.”  Well, uh, that isn’t what the HIPAA rules say.

There you have it — use this information next time you need it.

Next time on this blog — how to protect yourself and your family members and friends from having to deal with the “I can’t do it because of the HIPAA law” excuse.

I blog regularly about the HIPAA Privacy & Security Rules.  If you’re having a problem related to healthcare/patient privacy, getting a copy of your medical records (or those of your family), and other health privacy related questions — I’d be honored to help, so please email me directly at hipaadiva@yahoo.com.  And yes, I’m working on the website!  And yes, please tell your friends about this blog!

HIPAA Complaints — Yes, We Have Some Statistics, and You’re Not Alone

HIPAA privacy and security complaint statistics have been made available for June.  You may not realize it, but the federal HIPAA Privacy program is administered by Health & Human Services (HHS) Office of Civil Rights (OCR). 

Let’s see how things are going.

June 2008 — OCR received 849 HIPAA privacy complaints.  Ouch.

OCR pegged 256 cases that required some kind of action by the HIPAA covered entity (that would be a provider, a hospital, an insurance plan, folks like that who work with your protected health information).  If all 256 of those cases were filed in June, it means that a quick look-see at the complaints, just for June, reveals at least 30% of them will require that the provider or hospital or health plan DO SOMETHING to protect your health information.

OCR made one referral to the Department of Justice for potential prosecution.  Not bad, especially considering that OCR has referred 436 cases to DOJ since April 2003.  We can interpret this one of two ways: either the bad guys are getting better at getting away with stealing your protected health information, or providers, hospitals, and health plans are getting better at protecting it.  (I wouldn’t put any money on the second possibility.)

The most common HIPAA privacy complaints were:

—  Unauthorized disclosures of protected health information

—  Safeguard issues — the doctors, or practices, or health plans, etc., were not taking as good a care of your protected health information as they probably should 

—  Denial of patient requests for copies of their medical records

—  Disclosing too much protected health information 

—  Utilizing invalid authorizations for disclosing protected health information (I’ll explain more about valid authorizations in a future post)

In order, here are the offenders:

—  Private practices

—  Hospitals

—  Outpatient (day surgery) facilities

—  Health Plans (group health plans and health insurance companies)

—  Pharmacies (a small surprise, right?)

The HIPAA Security Rules are administered by CMS — the folks who bring you Medicare.  They received 10 complaints in May — a very big jump for them.

Got a question about your or your family’s protected health information, your medical records, or your HIPAA Privacy & Security rights?  Leave a comment, or send me an email at hipaadiva@yahoo.com.  I’m here to help.  BTW, all posts on my blog, written by me, are (c) 2008 Lane R Hatcher.  If you’d like to reprint, contact me!  And yes, I’m working on a web site.

Betcha Thought Big Brother Was the Gov’t — But You Thought Wrong

It turns out that a bigger threat to your privacy may not be the government (though they should certainly be high on the list).  Believe it or not, the bigger threat may be the remarkably potent combo of your health insurance company and your pharmacy.

What??  Your little ol’ pharmacy down at your grocery store, or your local drugstore? 

Yes, indeed, the very ones.

Turns out that the companies operating those pharmacies in your grocery store or drugstore often sell your prescription information to third parties called Pharmacy Benefit Managers. 

The Pharmacy Benefit Managers in turn sell your prescription information to two other companies: MedPoint and Intelliscript.

Here’s how it works: you apply for health coverage with any of a number of insurance companies, including Blue Cross/Blue Shield, Humana, UnitedHealth Group, Aetna, and others.  Generally you sign a release giving your authorization for the insurance company to obtain your previous medical history. 

Then, for a measly $15 a pop, MedPoint and/or Intelliscript sell your pharmaceutical “profile” to health insurance companies.

Here’s the problem: you may have signed a release for the insuance company to obtain your medical history, but you never gave your authorization for your pharmacy to sell your protected health information to MedPoint or IntelliScript.

Your pharmacy profile includes all the medications you’ve taken, along with a sweet little number that clues the insurance company on how much they might have to pay out on you in the future.

Taking anything “off-label”?  Problem.  Taking any mental health meds ?  Oops.  You might very easily be denied coverage.

Those who are particularly vulnerable are those who are self-insured, but even those trying to obtain insurance through their employers can be denied.

For the whole story, read the following: http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm

Then, contact your Congressional Representative and your state’s Senators.  (I know, I know, but it’s a start.)  You can also file a privacy complaint with Health & Human Services.

Got a problem with the privacy of your health information?  Yes?  Did you read and understand the Notice of Privacy Practices your new provider gave you?  No?  Want more information about how to protect your health information?  Leave a comment, or send me an email at hipaadiva@yahoo.com.  And hey, tell your friends about this blog — bet they could use some help with their health privacy, too.

Should You Bother Getting a Copy of Your Medical Records?

Why yes, you should.

I manage the HIPAA program at a large medical center in the South. About 70-75% of the complaints I receive are about the accuracy of the patient’s medical record. That’s a lot of complaints.

Sometimes the patients want changes made to their records that are just outright fraud. For example, there was the patient last year who wanted me to make his provider add a diagnosis of bi-polar disorder, so that he, the patient, could get more government benefits. Nevermind that the patient didn’t have bi-polar disorder, or any other diagnosed mental disorder; he just wanted the extra money from the benefits.

More often, though, the patients who contact me have legitimate concerns about the information that has been recorded in their medical records. Right now I’ve got a patient whose provider erroneously copied and pasted another patient’s post-surgical notes into his online medical record. The patient is post-op hip replacement. The other patient is post-op removal of a possible cancerous mole. Aside from the obvious problems associated with this kind of mix-up, there are significant potential patient safety issues, as well.

I could give you many more examples of mistakes that have been made in medical records. The point is that you really should request a copy of your medical records from each of your providers. You need to read the records and see what’s in them.

Here are a few things to keep in mind: you have a statutory (legal) right to a copy of your medical records as long as they have not been sequestered as part of a medical-legal action, and you cannot obtain a copy of handwritten notes that are maintained by a mental health provider. Other than that — you have an absolute right to a copy of your records.

Second, keep in mind that your medical records are about you, but they do not belong to you. So the idea that you should be able to get your medical records because “they’re yours” is not true. You are entitled only to a copy of them.

Third, you may get a copy of the medical records of a family member if you have written authorization from the family member to obtain a copy. Parents, you generally don’t need an authorization from your (minor, unemancipated) children in order to get a copy of their records; obtaining copies of medical records for teens, in which there are questions regarding birth control and certain procedures, is dependent on the laws of the state in which you reside.

Most important, your request must be in writing. Your provider has up to 60 days to provide you with the copy of your records, and your provider may charge you a reasonable copying fee.

Had trouble getting a copy of your medical records? Contact me privately at hipaadiva@yahoo.com. I would be happy to help. And yes, I expect to launch a website within the next 30-60 days. In the meantime, I’m glad to help you with any questions you may have about your medical privacy.

Is your health information a little safer today?

Are your medical records a little safer today?

Maybe.  But probably not.

After five years and tens of thousands of complaints, Health & Human Services finally put some teeth into their HIPAA Privacy rule, and two weeks ago fined a hospital system in Seattle $100,000 for HIPAA privacy and security violations.

$100,000?  That’s more than a fine.  That’s a statement.

But is it enough?

Let’s see, the HIPAA privacy rules went into effect in April, 2003.  There have been dozens and dozens of privacy breaches since then.  A few prosecutions.  And one fine.

In just the past couple of days:

—  There were as many as 500 victims of a privacy breach that occurred in Ft Bend County, TX, at the local Kelsey Seybold Clinic.

—  An unknown number of medical records were stolen at Grady Memorial Hospital in Atlanta, GA.

—  A potential database intrusion is alleged to have occurred at Saint Mary’s Regional Medical Center in Reno, NV, with as many as 128,000 records breached.

And only one fine.

And you know, that fine was for events that occurred in 2005 and 2006.  Why does it take HHS two years to investigate and levy fines against a hospital system in which several laptops were stolen, which compromised more than 350,000 medical records?

The maximum civil fine that HHS can levy is $250,000.  One would think that the theft of 350,000 records would merit more than a $100,000 fine.  But it’s a start.

Have a problem getting copies of your or your family’s medical records?  Concerned that maybe your medical records aren’t as secure as they could be?  Let me know.  Post a comment.  I can help.