Tag Archives: medical records

It Could Happen to You — A Call to Arms

On August 1, I wrote about how Big Brother may not be just the government, but, surprisingly, also your friendly pharmacist.  The Business Week article that I was referring to (http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm) talked about how someone can be turned down for health insurance because the pharmacies they’ve used in the past have sent their pharmacy information to Pharmacy Benefit Managers (PBMs), who in turn sell the information to third parties, who sell the information to health insurance companies, who then deny health coverage. 

Sweet, huh?  For the health insurance companies, anyway.  But not for you.  Or your family.

And the road from the pharmacy to the PBM to the third party is all done without your authorization.  Which seems kind of funny to me, because pharmacies are HIPAA “covered entities”, and they need to have your authorization to share your protected health information, except in very specific circumstances.

Now, the HIPAA Privacy Rules allow an entity called a “Business Associate” to do business with a covered entity such as a pharmacy.  In such cases, the pharmacy, as the covered entity, must execute what’s called a “Business Associate Agreement” with the business associate, and part of the agreement allows the covered entity to share identifiable protected health information so that the business associate can do all kinds of things, under contract, to the covered entity — in this case, the pharmacy.

Okay.  So far we have a covered entity, the pharmacy.  And we have a business associate of the pharmacy, the PBM, pharmacy benefit manager.  Why would the pharmacy contract with a PBM? 

Because PBMs do all kinds of useful things that they can probably do a lot less expensively than the pharmacy.  Wikipedia says this about PBMs: PBMs are “. . . third party administrator(s) of prescription drug programs. They are primarily responsible for processing and paying prescription drug claims. They also are responsible for developing and maintaining the formulary, contracting with pharmacies, and negotiating discounts and rebates with drug manufacturers.  Due to their larger purchasing pool for prescription drugs, PBMs can negotiate rebates and discounts on behalf of their clients.”

I think we can agree that PBMs provide very useful services to pharmacies, right?  Good.

The problem comes along when the PBM sells your identified protected health information to yet a third party, for a profit.

I have a problem with that, a huge problem. 

The HIPAA Privacy Rules don’t allow your identifiable protected health information to be sold without your authorization. 

When was the last time your pharmacy asked your permission to sell your protected health information, or the protected health information of your children?  Gosh, I don’t remember ever being asked by a pharmacy to do such a thing with my protected health information. . . 

So I’m asking for your support: I’d like you to send an email to Health & Human Services and ask them the following questions:

1.  Is a pharmacy a HIPAA covered entity?

2.  Is a Pharmacy Benefit Manager a business associate of a pharmacy?

3.  Can a business associate of a HIPAA-covered entity sell identifiable protected health information to a third party — for a profit — without the patient’s authorization?

Folks, the FTC has looked into this and not seen a problem with the practice of PBMs selling your identifiable protected health information.  But they are not responsible for the HIPAA Privacy Rules, Health & Human Services is.

So, please — send an email to OCRPrivacy@hhs.gov and ask them the above questions.  The more people who ask, the more they’ll pay attention and look at this very serious problem.

If you think this couldn’t really be an important issue, then I’d like to introduce you to Mr. Walter Shelton and his wife, Paula, who were denied health insurance because pharmacies they’d used in the past — WalMart and Randall’s (part of Safeway) — sent their identifiable protected health information to a PBM, who, without their authorization, sold it to a company called Med Point.  Med Point put together a pharmacy profile on them and sold it, along with the Shelton’s names, for $15 to Humana.  And then Humana rejected their insurance application because of the use of a couple of very minor medications that many of us may need to use at one time or other.

Have Humana?  How about Aetna?  Blue Cross/Blue Shield?  UnitedHealth Group?  Some other health insurance?  Do you ever get your prescriptions filled at WalMart?  Safeway?  Randalls?  Then yes, it COULD happen to you, when they sell information about you to Med Point or their competitor, IntelliScript, for just $15.

Please everyone, a quick email to OCRPrivacy@hhs.gov — remember, it’s Health & Human Services (HHS) that administers the federal medical privacy laws and rules — and ask them:

1.  Is a pharmacy a HIPAA covered entity?

2.  Is a Pharmacy Benefit Manager a business associate of a pharmacy?

3.  Can a business associate of a HIPAA-covered entity sell identifiable protected health information to a third party — for a profit — without the patient’s authorization?

Mr. Shelton has already sent his email to HHS, will you send one, too?  Just takes a minute.

THANK YOU!!!

I blog regularly on medical privacy issues, medical records, HIPAA, and other related issues.  If you have any questions about your medical privacy, your ability to get copies of your medical records, privacy problems with your doctors, dentists, chiropractors, psychologists, etc., please send me an email at hipaadiva@yahoo.com — I would be honored to help.

Advertisements

HIPAA Complaints — Yes, We Have Some Statistics, and You’re Not Alone

HIPAA privacy and security complaint statistics have been made available for June.  You may not realize it, but the federal HIPAA Privacy program is administered by Health & Human Services (HHS) Office of Civil Rights (OCR). 

Let’s see how things are going.

June 2008 — OCR received 849 HIPAA privacy complaints.  Ouch.

OCR pegged 256 cases that required some kind of action by the HIPAA covered entity (that would be a provider, a hospital, an insurance plan, folks like that who work with your protected health information).  If all 256 of those cases were filed in June, it means that a quick look-see at the complaints, just for June, reveals at least 30% of them will require that the provider or hospital or health plan DO SOMETHING to protect your health information.

OCR made one referral to the Department of Justice for potential prosecution.  Not bad, especially considering that OCR has referred 436 cases to DOJ since April 2003.  We can interpret this one of two ways: either the bad guys are getting better at getting away with stealing your protected health information, or providers, hospitals, and health plans are getting better at protecting it.  (I wouldn’t put any money on the second possibility.)

The most common HIPAA privacy complaints were:

—  Unauthorized disclosures of protected health information

—  Safeguard issues — the doctors, or practices, or health plans, etc., were not taking as good a care of your protected health information as they probably should 

—  Denial of patient requests for copies of their medical records

—  Disclosing too much protected health information 

—  Utilizing invalid authorizations for disclosing protected health information (I’ll explain more about valid authorizations in a future post)

In order, here are the offenders:

—  Private practices

—  Hospitals

—  Outpatient (day surgery) facilities

—  Health Plans (group health plans and health insurance companies)

—  Pharmacies (a small surprise, right?)

The HIPAA Security Rules are administered by CMS — the folks who bring you Medicare.  They received 10 complaints in May — a very big jump for them.

Got a question about your or your family’s protected health information, your medical records, or your HIPAA Privacy & Security rights?  Leave a comment, or send me an email at hipaadiva@yahoo.com.  I’m here to help.  BTW, all posts on my blog, written by me, are (c) 2008 Lane R Hatcher.  If you’d like to reprint, contact me!  And yes, I’m working on a web site.

Should You Bother Getting a Copy of Your Medical Records?

Why yes, you should.

I manage the HIPAA program at a large medical center in the South. About 70-75% of the complaints I receive are about the accuracy of the patient’s medical record. That’s a lot of complaints.

Sometimes the patients want changes made to their records that are just outright fraud. For example, there was the patient last year who wanted me to make his provider add a diagnosis of bi-polar disorder, so that he, the patient, could get more government benefits. Nevermind that the patient didn’t have bi-polar disorder, or any other diagnosed mental disorder; he just wanted the extra money from the benefits.

More often, though, the patients who contact me have legitimate concerns about the information that has been recorded in their medical records. Right now I’ve got a patient whose provider erroneously copied and pasted another patient’s post-surgical notes into his online medical record. The patient is post-op hip replacement. The other patient is post-op removal of a possible cancerous mole. Aside from the obvious problems associated with this kind of mix-up, there are significant potential patient safety issues, as well.

I could give you many more examples of mistakes that have been made in medical records. The point is that you really should request a copy of your medical records from each of your providers. You need to read the records and see what’s in them.

Here are a few things to keep in mind: you have a statutory (legal) right to a copy of your medical records as long as they have not been sequestered as part of a medical-legal action, and you cannot obtain a copy of handwritten notes that are maintained by a mental health provider. Other than that — you have an absolute right to a copy of your records.

Second, keep in mind that your medical records are about you, but they do not belong to you. So the idea that you should be able to get your medical records because “they’re yours” is not true. You are entitled only to a copy of them.

Third, you may get a copy of the medical records of a family member if you have written authorization from the family member to obtain a copy. Parents, you generally don’t need an authorization from your (minor, unemancipated) children in order to get a copy of their records; obtaining copies of medical records for teens, in which there are questions regarding birth control and certain procedures, is dependent on the laws of the state in which you reside.

Most important, your request must be in writing. Your provider has up to 60 days to provide you with the copy of your records, and your provider may charge you a reasonable copying fee.

Had trouble getting a copy of your medical records? Contact me privately at hipaadiva@yahoo.com. I would be happy to help. And yes, I expect to launch a website within the next 30-60 days. In the meantime, I’m glad to help you with any questions you may have about your medical privacy.

Is your health information a little safer today?

Are your medical records a little safer today?

Maybe.  But probably not.

After five years and tens of thousands of complaints, Health & Human Services finally put some teeth into their HIPAA Privacy rule, and two weeks ago fined a hospital system in Seattle $100,000 for HIPAA privacy and security violations.

$100,000?  That’s more than a fine.  That’s a statement.

But is it enough?

Let’s see, the HIPAA privacy rules went into effect in April, 2003.  There have been dozens and dozens of privacy breaches since then.  A few prosecutions.  And one fine.

In just the past couple of days:

—  There were as many as 500 victims of a privacy breach that occurred in Ft Bend County, TX, at the local Kelsey Seybold Clinic.

—  An unknown number of medical records were stolen at Grady Memorial Hospital in Atlanta, GA.

—  A potential database intrusion is alleged to have occurred at Saint Mary’s Regional Medical Center in Reno, NV, with as many as 128,000 records breached.

And only one fine.

And you know, that fine was for events that occurred in 2005 and 2006.  Why does it take HHS two years to investigate and levy fines against a hospital system in which several laptops were stolen, which compromised more than 350,000 medical records?

The maximum civil fine that HHS can levy is $250,000.  One would think that the theft of 350,000 records would merit more than a $100,000 fine.  But it’s a start.

Have a problem getting copies of your or your family’s medical records?  Concerned that maybe your medical records aren’t as secure as they could be?  Let me know.  Post a comment.  I can help.