Tag Archives: health care

HIPAA Isn’t Brain Surgery

The other day I noticed that one of my (very competent) colleagues out on the WWW advised that you have a “deep understanding of HIPAA” when advertising his HIPAA training.  I have no doubt that his training is probably stellar.


But, trust me, as a Privacy Officer for the past six years I can tell you that you do not need a deep understanding of HIPAA.    


What you need is to find and rely on those who DO have a solid, boots-on-the-ground understanding of all the major and minor pieces, as well as all of the nuances of the HIPAA privacy rules, and can assist you on an as-needed basis. 


Let’s say that you’re a practice manager, and you’ve been served with a subpoena for copies of the records of one of your patients.  Did you know that you are required by the HIPAA Privacy Rules, to ensure that whoever signed the subpoena has made all other parties aware of the subpoena and provided them with an opportunity to object?  That’s one of the nuances of HIPAA.  And I’ll bet it wasn’t included in that 30-minute training some consultant, with little or no healthcare or compliance experience, sold you.


Did you pay $100s for HIPAA training?  Bought some of those “official HIPAA forms” (no such thing, by the way)?  Did you buy a copier from some company who claimed that their copier (and faxes, and scanners, etc.) were “HIPAA compliant”?  Oops, sorry, there’s no such thing as a “HIPAA-compliant” copier.  (Believe me, you’re not alone — lots of money has been made using the “HIPAA compliant!” label. . .)


If paying all that money for HIPAA training had been enough to keep practices from complaints, then there wouldn’t be 41,000+ complaints filed with HHS in five-plus years. 


That your practice may not have had any complaints doesn’t tell me whether your staff understands their roles regarding HIPAA; it just tells me that your patients don’t know their rights.  Yet.  But that’s changing.  HHS is now getting hundreds more complaints every month.


I’ve been the Privacy Officer responsible for implementation and compliance with the HIPAA Privacy & Security Rules for a large healthcare system for the past six years: 300 beds, 1.5M clinic visits per year, and 6,000+ employees.  THAT’S what gives me a very solid understanding of all the major and minor pieces, not to mention the nuances, of HIPAA Privacy & Security.  The proof is in the pudding — in the past 12 months we’ve had 17 privacy complaints; ten of them were without merit.  Not too shabby.


I’m setting up a HIPAA Privacy & Security practice.  I’ll be offering information based on real experience, with real complaints, and real solutions.  And I’ll be steering you away from almost anything claiming that it’s “HIPAA compliant.”  When it comes to Privacy & Security compliance, most of it relies on the behavior of your staff, and the rest just isn’t that hard.


Keep me in mind.


I blog regularly about HIPAA issues.  If you have a question about either the privacy or security rules, or if you’re having a problem with one of your providers (or one of your patients), email me directly at hipaadiva@yahoo.com.  It would be my pleasure to help you.


Betcha Thought Big Brother Was the Gov’t — But You Thought Wrong

It turns out that a bigger threat to your privacy may not be the government (though they should certainly be high on the list).  Believe it or not, the bigger threat may be the remarkably potent combo of your health insurance company and your pharmacy.

What??  Your little ol’ pharmacy down at your grocery store, or your local drugstore? 

Yes, indeed, the very ones.

Turns out that the companies operating those pharmacies in your grocery store or drugstore often sell your prescription information to third parties called Pharmacy Benefit Managers. 

The Pharmacy Benefit Managers in turn sell your prescription information to two other companies: MedPoint and Intelliscript.

Here’s how it works: you apply for health coverage with any of a number of insurance companies, including Blue Cross/Blue Shield, Humana, UnitedHealth Group, Aetna, and others.  Generally you sign a release giving your authorization for the insurance company to obtain your previous medical history. 

Then, for a measly $15 a pop, MedPoint and/or Intelliscript sell your pharmaceutical “profile” to health insurance companies.

Here’s the problem: you may have signed a release for the insuance company to obtain your medical history, but you never gave your authorization for your pharmacy to sell your protected health information to MedPoint or IntelliScript.

Your pharmacy profile includes all the medications you’ve taken, along with a sweet little number that clues the insurance company on how much they might have to pay out on you in the future.

Taking anything “off-label”?  Problem.  Taking any mental health meds ?  Oops.  You might very easily be denied coverage.

Those who are particularly vulnerable are those who are self-insured, but even those trying to obtain insurance through their employers can be denied.

For the whole story, read the following: http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm

Then, contact your Congressional Representative and your state’s Senators.  (I know, I know, but it’s a start.)  You can also file a privacy complaint with Health & Human Services.

Got a problem with the privacy of your health information?  Yes?  Did you read and understand the Notice of Privacy Practices your new provider gave you?  No?  Want more information about how to protect your health information?  Leave a comment, or send me an email at hipaadiva@yahoo.com.  And hey, tell your friends about this blog — bet they could use some help with their health privacy, too.

Is your health information a little safer today?

Are your medical records a little safer today?

Maybe.  But probably not.

After five years and tens of thousands of complaints, Health & Human Services finally put some teeth into their HIPAA Privacy rule, and two weeks ago fined a hospital system in Seattle $100,000 for HIPAA privacy and security violations.

$100,000?  That’s more than a fine.  That’s a statement.

But is it enough?

Let’s see, the HIPAA privacy rules went into effect in April, 2003.  There have been dozens and dozens of privacy breaches since then.  A few prosecutions.  And one fine.

In just the past couple of days:

—  There were as many as 500 victims of a privacy breach that occurred in Ft Bend County, TX, at the local Kelsey Seybold Clinic.

—  An unknown number of medical records were stolen at Grady Memorial Hospital in Atlanta, GA.

—  A potential database intrusion is alleged to have occurred at Saint Mary’s Regional Medical Center in Reno, NV, with as many as 128,000 records breached.

And only one fine.

And you know, that fine was for events that occurred in 2005 and 2006.  Why does it take HHS two years to investigate and levy fines against a hospital system in which several laptops were stolen, which compromised more than 350,000 medical records?

The maximum civil fine that HHS can levy is $250,000.  One would think that the theft of 350,000 records would merit more than a $100,000 fine.  But it’s a start.

Have a problem getting copies of your or your family’s medical records?  Concerned that maybe your medical records aren’t as secure as they could be?  Let me know.  Post a comment.  I can help.