Tag Archives: health

HIPAA Isn’t Brain Surgery

The other day I noticed that one of my (very competent) colleagues out on the WWW advised that you have a “deep understanding of HIPAA” when advertising his HIPAA training.  I have no doubt that his training is probably stellar.

 

But, trust me, as a Privacy Officer for the past six years I can tell you that you do not need a deep understanding of HIPAA.    

 

What you need is to find and rely on those who DO have a solid, boots-on-the-ground understanding of all the major and minor pieces, as well as all of the nuances of the HIPAA privacy rules, and can assist you on an as-needed basis. 

 

Let’s say that you’re a practice manager, and you’ve been served with a subpoena for copies of the records of one of your patients.  Did you know that you are required by the HIPAA Privacy Rules, to ensure that whoever signed the subpoena has made all other parties aware of the subpoena and provided them with an opportunity to object?  That’s one of the nuances of HIPAA.  And I’ll bet it wasn’t included in that 30-minute training some consultant, with little or no healthcare or compliance experience, sold you.

 

Did you pay $100s for HIPAA training?  Bought some of those “official HIPAA forms” (no such thing, by the way)?  Did you buy a copier from some company who claimed that their copier (and faxes, and scanners, etc.) were “HIPAA compliant”?  Oops, sorry, there’s no such thing as a “HIPAA-compliant” copier.  (Believe me, you’re not alone — lots of money has been made using the “HIPAA compliant!” label. . .)

 

If paying all that money for HIPAA training had been enough to keep practices from complaints, then there wouldn’t be 41,000+ complaints filed with HHS in five-plus years. 

 

That your practice may not have had any complaints doesn’t tell me whether your staff understands their roles regarding HIPAA; it just tells me that your patients don’t know their rights.  Yet.  But that’s changing.  HHS is now getting hundreds more complaints every month.

 

I’ve been the Privacy Officer responsible for implementation and compliance with the HIPAA Privacy & Security Rules for a large healthcare system for the past six years: 300 beds, 1.5M clinic visits per year, and 6,000+ employees.  THAT’S what gives me a very solid understanding of all the major and minor pieces, not to mention the nuances, of HIPAA Privacy & Security.  The proof is in the pudding — in the past 12 months we’ve had 17 privacy complaints; ten of them were without merit.  Not too shabby.

 

I’m setting up a HIPAA Privacy & Security practice.  I’ll be offering information based on real experience, with real complaints, and real solutions.  And I’ll be steering you away from almost anything claiming that it’s “HIPAA compliant.”  When it comes to Privacy & Security compliance, most of it relies on the behavior of your staff, and the rest just isn’t that hard.

 

Keep me in mind.

 

I blog regularly about HIPAA issues.  If you have a question about either the privacy or security rules, or if you’re having a problem with one of your providers (or one of your patients), email me directly at hipaadiva@yahoo.com.  It would be my pleasure to help you.

Advertisements

It Could Happen to You — A Call to Arms

On August 1, I wrote about how Big Brother may not be just the government, but, surprisingly, also your friendly pharmacist.  The Business Week article that I was referring to (http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm) talked about how someone can be turned down for health insurance because the pharmacies they’ve used in the past have sent their pharmacy information to Pharmacy Benefit Managers (PBMs), who in turn sell the information to third parties, who sell the information to health insurance companies, who then deny health coverage. 

Sweet, huh?  For the health insurance companies, anyway.  But not for you.  Or your family.

And the road from the pharmacy to the PBM to the third party is all done without your authorization.  Which seems kind of funny to me, because pharmacies are HIPAA “covered entities”, and they need to have your authorization to share your protected health information, except in very specific circumstances.

Now, the HIPAA Privacy Rules allow an entity called a “Business Associate” to do business with a covered entity such as a pharmacy.  In such cases, the pharmacy, as the covered entity, must execute what’s called a “Business Associate Agreement” with the business associate, and part of the agreement allows the covered entity to share identifiable protected health information so that the business associate can do all kinds of things, under contract, to the covered entity — in this case, the pharmacy.

Okay.  So far we have a covered entity, the pharmacy.  And we have a business associate of the pharmacy, the PBM, pharmacy benefit manager.  Why would the pharmacy contract with a PBM? 

Because PBMs do all kinds of useful things that they can probably do a lot less expensively than the pharmacy.  Wikipedia says this about PBMs: PBMs are “. . . third party administrator(s) of prescription drug programs. They are primarily responsible for processing and paying prescription drug claims. They also are responsible for developing and maintaining the formulary, contracting with pharmacies, and negotiating discounts and rebates with drug manufacturers.  Due to their larger purchasing pool for prescription drugs, PBMs can negotiate rebates and discounts on behalf of their clients.”

I think we can agree that PBMs provide very useful services to pharmacies, right?  Good.

The problem comes along when the PBM sells your identified protected health information to yet a third party, for a profit.

I have a problem with that, a huge problem. 

The HIPAA Privacy Rules don’t allow your identifiable protected health information to be sold without your authorization. 

When was the last time your pharmacy asked your permission to sell your protected health information, or the protected health information of your children?  Gosh, I don’t remember ever being asked by a pharmacy to do such a thing with my protected health information. . . 

So I’m asking for your support: I’d like you to send an email to Health & Human Services and ask them the following questions:

1.  Is a pharmacy a HIPAA covered entity?

2.  Is a Pharmacy Benefit Manager a business associate of a pharmacy?

3.  Can a business associate of a HIPAA-covered entity sell identifiable protected health information to a third party — for a profit — without the patient’s authorization?

Folks, the FTC has looked into this and not seen a problem with the practice of PBMs selling your identifiable protected health information.  But they are not responsible for the HIPAA Privacy Rules, Health & Human Services is.

So, please — send an email to OCRPrivacy@hhs.gov and ask them the above questions.  The more people who ask, the more they’ll pay attention and look at this very serious problem.

If you think this couldn’t really be an important issue, then I’d like to introduce you to Mr. Walter Shelton and his wife, Paula, who were denied health insurance because pharmacies they’d used in the past — WalMart and Randall’s (part of Safeway) — sent their identifiable protected health information to a PBM, who, without their authorization, sold it to a company called Med Point.  Med Point put together a pharmacy profile on them and sold it, along with the Shelton’s names, for $15 to Humana.  And then Humana rejected their insurance application because of the use of a couple of very minor medications that many of us may need to use at one time or other.

Have Humana?  How about Aetna?  Blue Cross/Blue Shield?  UnitedHealth Group?  Some other health insurance?  Do you ever get your prescriptions filled at WalMart?  Safeway?  Randalls?  Then yes, it COULD happen to you, when they sell information about you to Med Point or their competitor, IntelliScript, for just $15.

Please everyone, a quick email to OCRPrivacy@hhs.gov — remember, it’s Health & Human Services (HHS) that administers the federal medical privacy laws and rules — and ask them:

1.  Is a pharmacy a HIPAA covered entity?

2.  Is a Pharmacy Benefit Manager a business associate of a pharmacy?

3.  Can a business associate of a HIPAA-covered entity sell identifiable protected health information to a third party — for a profit — without the patient’s authorization?

Mr. Shelton has already sent his email to HHS, will you send one, too?  Just takes a minute.

THANK YOU!!!

I blog regularly on medical privacy issues, medical records, HIPAA, and other related issues.  If you have any questions about your medical privacy, your ability to get copies of your medical records, privacy problems with your doctors, dentists, chiropractors, psychologists, etc., please send me an email at hipaadiva@yahoo.com — I would be honored to help.

Betcha Thought Big Brother Was the Gov’t — But You Thought Wrong

It turns out that a bigger threat to your privacy may not be the government (though they should certainly be high on the list).  Believe it or not, the bigger threat may be the remarkably potent combo of your health insurance company and your pharmacy.

What??  Your little ol’ pharmacy down at your grocery store, or your local drugstore? 

Yes, indeed, the very ones.

Turns out that the companies operating those pharmacies in your grocery store or drugstore often sell your prescription information to third parties called Pharmacy Benefit Managers. 

The Pharmacy Benefit Managers in turn sell your prescription information to two other companies: MedPoint and Intelliscript.

Here’s how it works: you apply for health coverage with any of a number of insurance companies, including Blue Cross/Blue Shield, Humana, UnitedHealth Group, Aetna, and others.  Generally you sign a release giving your authorization for the insurance company to obtain your previous medical history. 

Then, for a measly $15 a pop, MedPoint and/or Intelliscript sell your pharmaceutical “profile” to health insurance companies.

Here’s the problem: you may have signed a release for the insuance company to obtain your medical history, but you never gave your authorization for your pharmacy to sell your protected health information to MedPoint or IntelliScript.

Your pharmacy profile includes all the medications you’ve taken, along with a sweet little number that clues the insurance company on how much they might have to pay out on you in the future.

Taking anything “off-label”?  Problem.  Taking any mental health meds ?  Oops.  You might very easily be denied coverage.

Those who are particularly vulnerable are those who are self-insured, but even those trying to obtain insurance through their employers can be denied.

For the whole story, read the following: http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm

Then, contact your Congressional Representative and your state’s Senators.  (I know, I know, but it’s a start.)  You can also file a privacy complaint with Health & Human Services.

Got a problem with the privacy of your health information?  Yes?  Did you read and understand the Notice of Privacy Practices your new provider gave you?  No?  Want more information about how to protect your health information?  Leave a comment, or send me an email at hipaadiva@yahoo.com.  And hey, tell your friends about this blog — bet they could use some help with their health privacy, too.

Is your health information a little safer today?

Are your medical records a little safer today?

Maybe.  But probably not.

After five years and tens of thousands of complaints, Health & Human Services finally put some teeth into their HIPAA Privacy rule, and two weeks ago fined a hospital system in Seattle $100,000 for HIPAA privacy and security violations.

$100,000?  That’s more than a fine.  That’s a statement.

But is it enough?

Let’s see, the HIPAA privacy rules went into effect in April, 2003.  There have been dozens and dozens of privacy breaches since then.  A few prosecutions.  And one fine.

In just the past couple of days:

—  There were as many as 500 victims of a privacy breach that occurred in Ft Bend County, TX, at the local Kelsey Seybold Clinic.

—  An unknown number of medical records were stolen at Grady Memorial Hospital in Atlanta, GA.

—  A potential database intrusion is alleged to have occurred at Saint Mary’s Regional Medical Center in Reno, NV, with as many as 128,000 records breached.

And only one fine.

And you know, that fine was for events that occurred in 2005 and 2006.  Why does it take HHS two years to investigate and levy fines against a hospital system in which several laptops were stolen, which compromised more than 350,000 medical records?

The maximum civil fine that HHS can levy is $250,000.  One would think that the theft of 350,000 records would merit more than a $100,000 fine.  But it’s a start.

Have a problem getting copies of your or your family’s medical records?  Concerned that maybe your medical records aren’t as secure as they could be?  Let me know.  Post a comment.  I can help.