Tag Archives: covered entity

It Could Happen to You — A Call to Arms

On August 1, I wrote about how Big Brother may not be just the government, but, surprisingly, also your friendly pharmacist.  The Business Week article that I was referring to (http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm) talked about how someone can be turned down for health insurance because the pharmacies they’ve used in the past have sent their pharmacy information to Pharmacy Benefit Managers (PBMs), who in turn sell the information to third parties, who sell the information to health insurance companies, who then deny health coverage. 

Sweet, huh?  For the health insurance companies, anyway.  But not for you.  Or your family.

And the road from the pharmacy to the PBM to the third party is all done without your authorization.  Which seems kind of funny to me, because pharmacies are HIPAA “covered entities”, and they need to have your authorization to share your protected health information, except in very specific circumstances.

Now, the HIPAA Privacy Rules allow an entity called a “Business Associate” to do business with a covered entity such as a pharmacy.  In such cases, the pharmacy, as the covered entity, must execute what’s called a “Business Associate Agreement” with the business associate, and part of the agreement allows the covered entity to share identifiable protected health information so that the business associate can do all kinds of things, under contract, to the covered entity — in this case, the pharmacy.

Okay.  So far we have a covered entity, the pharmacy.  And we have a business associate of the pharmacy, the PBM, pharmacy benefit manager.  Why would the pharmacy contract with a PBM? 

Because PBMs do all kinds of useful things that they can probably do a lot less expensively than the pharmacy.  Wikipedia says this about PBMs: PBMs are “. . . third party administrator(s) of prescription drug programs. They are primarily responsible for processing and paying prescription drug claims. They also are responsible for developing and maintaining the formulary, contracting with pharmacies, and negotiating discounts and rebates with drug manufacturers.  Due to their larger purchasing pool for prescription drugs, PBMs can negotiate rebates and discounts on behalf of their clients.”

I think we can agree that PBMs provide very useful services to pharmacies, right?  Good.

The problem comes along when the PBM sells your identified protected health information to yet a third party, for a profit.

I have a problem with that, a huge problem. 

The HIPAA Privacy Rules don’t allow your identifiable protected health information to be sold without your authorization. 

When was the last time your pharmacy asked your permission to sell your protected health information, or the protected health information of your children?  Gosh, I don’t remember ever being asked by a pharmacy to do such a thing with my protected health information. . . 

So I’m asking for your support: I’d like you to send an email to Health & Human Services and ask them the following questions:

1.  Is a pharmacy a HIPAA covered entity?

2.  Is a Pharmacy Benefit Manager a business associate of a pharmacy?

3.  Can a business associate of a HIPAA-covered entity sell identifiable protected health information to a third party — for a profit — without the patient’s authorization?

Folks, the FTC has looked into this and not seen a problem with the practice of PBMs selling your identifiable protected health information.  But they are not responsible for the HIPAA Privacy Rules, Health & Human Services is.

So, please — send an email to OCRPrivacy@hhs.gov and ask them the above questions.  The more people who ask, the more they’ll pay attention and look at this very serious problem.

If you think this couldn’t really be an important issue, then I’d like to introduce you to Mr. Walter Shelton and his wife, Paula, who were denied health insurance because pharmacies they’d used in the past — WalMart and Randall’s (part of Safeway) — sent their identifiable protected health information to a PBM, who, without their authorization, sold it to a company called Med Point.  Med Point put together a pharmacy profile on them and sold it, along with the Shelton’s names, for $15 to Humana.  And then Humana rejected their insurance application because of the use of a couple of very minor medications that many of us may need to use at one time or other.

Have Humana?  How about Aetna?  Blue Cross/Blue Shield?  UnitedHealth Group?  Some other health insurance?  Do you ever get your prescriptions filled at WalMart?  Safeway?  Randalls?  Then yes, it COULD happen to you, when they sell information about you to Med Point or their competitor, IntelliScript, for just $15.

Please everyone, a quick email to OCRPrivacy@hhs.gov — remember, it’s Health & Human Services (HHS) that administers the federal medical privacy laws and rules — and ask them:

1.  Is a pharmacy a HIPAA covered entity?

2.  Is a Pharmacy Benefit Manager a business associate of a pharmacy?

3.  Can a business associate of a HIPAA-covered entity sell identifiable protected health information to a third party — for a profit — without the patient’s authorization?

Mr. Shelton has already sent his email to HHS, will you send one, too?  Just takes a minute.

THANK YOU!!!

I blog regularly on medical privacy issues, medical records, HIPAA, and other related issues.  If you have any questions about your medical privacy, your ability to get copies of your medical records, privacy problems with your doctors, dentists, chiropractors, psychologists, etc., please send me an email at hipaadiva@yahoo.com — I would be honored to help.

Advertisements

You Took Your Injured Friend to the ED. He’s Unconscious. He Has No Relatives. His Doctors Won’t Tell You Anything. What Can You Do?

This is one of the most heart-wrenching situations that I hear about: a person brings their friend to the ED, because the friend is very sick or injured.  The ED is treating the friend, but for a period of time the friend is unconscious.  You inquire about your friend’s status.  The staff says, “We can’t tell you anything because of HIPAA.”  Or, “We can’t tell you anything because of privacy.”  Or some variation on the theme.

Frustrating and very upsetting, no?

Even more frustrating is that it’s NOT TRUE.

That’s right.   The HIPAA Privacy Rules specifically allow healthcare providers to give limited information about a person to the person’s friend or family members if, in the best judgment of the providers, such a disclosure would be in the best interest of the patient.

Well, geez, I’m thinking that it’s definitely in the best interest of your unconscious friend for the doc to let you know what’s going on, or at least what to expect.  What do they think — that you’re going to use the fact that your friend is suffering from, say, a bad concussion, to steal the friend’s identity and go on a spending spree with his credit cards?  Come on, get REAL.

Here’s what Health & Human Services — remember, they’re the ones that administer and are responsible for the HIPAA Privacy Rules — says about the subject — and I’m copying this straight from their website (http://www.hhs.gov/hipaafaq/notice/488.html)!

Here ya go —

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care.

“If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object.

“The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

“A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.

“A hospital may discuss a patient’s payment options with her adult daughter.

“A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.

“A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

“Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). Thus, for example:

“A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.

“A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone. 

“In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.”

How about THAT! 

Sometimes I think that the excuse “We can’t do X-Y-Z because of HIPAA” is just that — an excuse that a lazy healthcare provider or administrative staff uses to get them out of doing their job.  Sounds official, though, doesn’t it?  “Can’t do it because of the HIPAA LAW.”  Well, uh, that isn’t what the HIPAA rules say.

There you have it — use this information next time you need it.

Next time on this blog — how to protect yourself and your family members and friends from having to deal with the “I can’t do it because of the HIPAA law” excuse.

I blog regularly about the HIPAA Privacy & Security Rules.  If you’re having a problem related to healthcare/patient privacy, getting a copy of your medical records (or those of your family), and other health privacy related questions — I’d be honored to help, so please email me directly at hipaadiva@yahoo.com.  And yes, I’m working on the website!  And yes, please tell your friends about this blog!