Tag Archives: privacy

Why – You Look Like You Need an Authorization!

Nothing personal, but you really do need an authorization. An authorization signed by you, that can be used by your family members, significant others, and close friends in the event that something happens to you and you are either unconscious, or a physician has declared you to be not competent to make decisions about your care, can be a very handy little item to have.

And not just any old authorization, either. You need one that has all the elements required by the HIPAA Privacy Rules.

Just like me, you probably are relatively healthy, maybe a little high cholesterol and a little too much padding, but really, you’re okay. So you’re thinking no, you really don’t need to carry around an authorization. Umm, yes, you do. And here’s why.

What if you get hit by a bus on the way home tonight? Highly unlikely, and certainly we don’t want this to happen, but stay with me on this. You get hit by a bus, you’re taken to the best Emergency Department in the area, and your husband is called. He comes to the ED, and starts to ask questions about you: how are you, can he see you, what is happening or going to happen to you, etc.

Now, let’s say at this hospital the staff have been trained with respect to the HIPAA Privacy Rules. But, they’ve been badly trained. They think that they can’t talk to your husband about you, because that would be “against HIPAA.”

Or, worse, the staff have been well-trained in the HIPAA Privacy Rules but they just don’t feel like dealing with your husband, so they tell him that they can’t talk to him about you, once again because that would be “against HIPAA” and a violation of your privacy.

Think it can’t happen to you? I sincerely hope it doesn’t. But, it’s in your best interest, and that of your family, too, for you and all adult members of your family to have an authorization on hand that can be used in the event that you are unable to make a decision about your healthcare.

The HIPAA Privacy Rules have some very specific requirements regarding what needs to be included in a valid authorization – one that will be honored by that hospital or any of your healthcare providers, insurance companies, etc. Let’s go through them.

Per the HIPAA Privacy Rules (see 45 CFR 164.508[c][1]-[3]), the authorization must include all of the following items:

1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion: what stuff can your healthcare provider disclose to whoever you’ve named in the authorization?

2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure: that would be you.

3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure: that would be your family members, next of kin, significant other(s), close friends, etc. – who can the hospital or healthcare provider disclose your healthcare information to? (Be sure to include your name here. Trust me.)

4. A description of each purpose of the requested use or disclosure: the statement “at my request” is a sufficient description of the purpose when you initiate the authorization and do not, or elect not to, provide an additional statement of the purpose: either state “at my request” (or similar verbiage), or spell out in plain language the reason why you are authorizing healthcare information about you to be disclosed.

5. An expiration date or an expiration event that relates to (you) or the purpose of the use or disclosure: the statement “end of the research study,” “none,” “December 31, 2010” or all similar language is okay.

6. Your signature and the date. (Note: If the authorization is signed by a personal representative of the individual [for example, by a parent or guardian of a minor], include a description of the representative’s authority to act for the individual.)

7. A statement regarding your right to revoke the authorization in writing.

8. The exceptions to the right to revoke and a description of how you may revoke the authorization.

9. A statement that the covered entity (healthcare provider, hospital, etc.) may not condition treatment, payment, enrollment or eligibility for benefits on whether you sign the authorization: this means they cannot refuse to treat you just because you didn’t sign an authorization (not useful for you in most situations, but nonetheless a requirement).

10. The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected by this subpart: this means that you agree that if the hospital, for example, discloses information about you to your significant other – then the hospital is not responsible if your significant other subsequently discloses your information (gossips) to someone else.

11. The authorization must be written in plain language. Yeah.

Here are my recommendations: all adult members of your family, your significant others, and/or close friends, attorney, etc., should have a copy of your authorization for them to obtain healthcare information about you in the event that you are incapacitated, or incompetent, or even just to pick up your latest prescription. And, just as important, you should encourage them to have authorizations, too, with the names of all the individuals they would like to be able to obtain healthcare information about them in the event that they become incapacitated or incompetent, etc.

An authorization DOES NOT replace a medical power of attorney – you should ensure that all adult members of your family have a signed medical power of attorney prepared by a competent attorney in your state.

But, for situations in which a person may be unconscious or otherwise temporarily unable to authorize a disclosure of their current health situation to another family member or friend, having an authorization in your pocket of purse can save everyone a lot of stress and upset.

If you would like a copy of a HIPAA-proof blank authorization that you can use, email me at hipaadiva@yahoo.com, and I’ll send you one, for free. This offer is only valid until I get my website online; when it’s ready to go then I’ll be offering these authorizations for a fee.

I blog here fairly regularly on all subjects related to patient privacy, the HIPAA Privacy & Security Rules, patient advocacy, etc. I invite you to send me any questions you may have about your medical records, healthcare privacy rights, etc., to hipaadiva@yahoo.com.

If you happen to be a nurse or nursing student, check out cathylwhite.wordpress.com for information about legal issues affecting nurses.


Betcha Thought Big Brother Was the Gov’t — But You Thought Wrong

It turns out that a bigger threat to your privacy may not be the government (though they should certainly be high on the list).  Believe it or not, the bigger threat may be the remarkably potent combo of your health insurance company and your pharmacy.

What??  Your little ol’ pharmacy down at your grocery store, or your local drugstore? 

Yes, indeed, the very ones.

Turns out that the companies operating those pharmacies in your grocery store or drugstore often sell your prescription information to third parties called Pharmacy Benefit Managers. 

The Pharmacy Benefit Managers in turn sell your prescription information to two other companies: MedPoint and Intelliscript.

Here’s how it works: you apply for health coverage with any of a number of insurance companies, including Blue Cross/Blue Shield, Humana, UnitedHealth Group, Aetna, and others.  Generally you sign a release giving your authorization for the insurance company to obtain your previous medical history. 

Then, for a measly $15 a pop, MedPoint and/or Intelliscript sell your pharmaceutical “profile” to health insurance companies.

Here’s the problem: you may have signed a release for the insuance company to obtain your medical history, but you never gave your authorization for your pharmacy to sell your protected health information to MedPoint or IntelliScript.

Your pharmacy profile includes all the medications you’ve taken, along with a sweet little number that clues the insurance company on how much they might have to pay out on you in the future.

Taking anything “off-label”?  Problem.  Taking any mental health meds ?  Oops.  You might very easily be denied coverage.

Those who are particularly vulnerable are those who are self-insured, but even those trying to obtain insurance through their employers can be denied.

For the whole story, read the following: http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm

Then, contact your Congressional Representative and your state’s Senators.  (I know, I know, but it’s a start.)  You can also file a privacy complaint with Health & Human Services.

Got a problem with the privacy of your health information?  Yes?  Did you read and understand the Notice of Privacy Practices your new provider gave you?  No?  Want more information about how to protect your health information?  Leave a comment, or send me an email at hipaadiva@yahoo.com.  And hey, tell your friends about this blog — bet they could use some help with their health privacy, too.

Is your health information a little safer today?

Are your medical records a little safer today?

Maybe.  But probably not.

After five years and tens of thousands of complaints, Health & Human Services finally put some teeth into their HIPAA Privacy rule, and two weeks ago fined a hospital system in Seattle $100,000 for HIPAA privacy and security violations.

$100,000?  That’s more than a fine.  That’s a statement.

But is it enough?

Let’s see, the HIPAA privacy rules went into effect in April, 2003.  There have been dozens and dozens of privacy breaches since then.  A few prosecutions.  And one fine.

In just the past couple of days:

—  There were as many as 500 victims of a privacy breach that occurred in Ft Bend County, TX, at the local Kelsey Seybold Clinic.

—  An unknown number of medical records were stolen at Grady Memorial Hospital in Atlanta, GA.

—  A potential database intrusion is alleged to have occurred at Saint Mary’s Regional Medical Center in Reno, NV, with as many as 128,000 records breached.

And only one fine.

And you know, that fine was for events that occurred in 2005 and 2006.  Why does it take HHS two years to investigate and levy fines against a hospital system in which several laptops were stolen, which compromised more than 350,000 medical records?

The maximum civil fine that HHS can levy is $250,000.  One would think that the theft of 350,000 records would merit more than a $100,000 fine.  But it’s a start.

Have a problem getting copies of your or your family’s medical records?  Concerned that maybe your medical records aren’t as secure as they could be?  Let me know.  Post a comment.  I can help.