Advice about HIPAA issue

[Pea-n-Me]

Quote:

Originally Posted by burnurcomputer

Because its *your* health information and you have right to ask for a copy of your records and a record of those who have access to it. Its actually a part of HIPPA to protect the pt. and for the pt. to have full access and knowledge (or block) who can and can't see the health information. Privacy and portability are both part of the act. You have right to know where and when and who has seen your info.

Quote:

Originally Posted by Bukalwew11

People who seem to know say that as a patient, it is your right to know. I have no idea what page this was discussed on but it is back there somewhere.

I don't know if that information belongs to the patient, or the hospital.

Some hospital information is only given out by supoena.

I don't know that one could just waltz in and ask for the information as described in this thread, or that the hospital would be required to hand it over. Doesn't it put them in a somewhat precarious situation, for one thing? What if someone decided to go to the media, say, about this? Or file suit?

Hospitals protect their information, although they could still take action if there was a violation. But they would obviously have to know Dr. Mom's name.

[MrsToad]

Quote:

Originally Posted by Pea-n-Me

I don't know if that information belongs to the patient, or the hospital.

Some hospital information is only given out by supoena.

I don't know that one could just waltz in and ask for the information as described in this thread, or that the hospital would be required to hand it over. Doesn't it put them in a somewhat precarious situation, for one thing? What if someone decided to go to the media, say, about this? Or file suit?

Hospitals protect their information, although they could still take action if there was a violation. But they would obviously have to know Dr. Mom's name.

It is a specific right under HIPAA that a patient may request an accounting of parties to whom health care information has been disclosed outside the organization, and the hospital or practice must comply in most circumstances (psychotherapy notes, for instance, may sometimes be excluded). The part I'm not so sure of is whether the hospital has to give you a list of everyone within their organization who accessed your record. However, hospitals HAVE been fined when security audit trails confirmed someone on their staff looked at the record of a celebrity, so improper viewing is a serious issue for any hospital.

Another specific patient right under HIPAA is the ability to file a privacy complaint and to have that complaint investigated by the Privacy Officer. So, with both of these rights combined, the OP could, theoretically, file a privacy complaint stating she is concerned someone accessed her sons record without a legitimate reason, even if the hospital doesn't initially agree to show her the access list. The hospital, as part of their investigation, would see the doc's name on the list if she did view the record, recognize that she shouldn't have needed access under "minimum necessary" access rules, and take action, all without the OP providing the doc's name. If no names are outside the scope of this patient's care, cased closed.

[MScott1851]

Well, I'm tired of discussing HIPAA, I just want to know whether the other girls' mom accessed the info or not! (Sad to say, being a doctor doesn't mean you don't make stupid decisions.)

OP, hope your son is back to his old self.

[phorsenuf]

Quote:

Originally Posted by MScott1851

Well, I'm tired of discussing HIPAA, I just want to know whether the other girls' mom accessed the info or not! (Sad to say, being a doctor doesn't mean you don't make stupid decisions.)

OP, hope your son is back to his old self.

I just want to say how nice it is to see you here again. It's been a long time! What a cutie pie in your signature!

[chloelovesdisney]

Quote:

Originally Posted by Pea-n-Me

Why do people assume the hospital is just going to hand over a list of all the people who accessed the chart? Isn't that in itself a violation of HIPPA?

No. HIPAA is to protect the patient, it doesn't protect the practioners.

[chloelovesdisney]

Quote:

Originally Posted by DisneyATlast

I also find it interesting that so many people are willing to believe that Dr. Mom violated HIPAA, but at the same time they are adamant that a Privacy Officer is bound by laws that will obligate them to treat her inquiry with the utmost level of confidentiality.

A Privacy Officer's job is all about enforcing confidentiality and protecting patient information. While healthcare workers are trained in the rules, their jobs are to provide patient care.

[Disney Doll]

Quote:

Originally Posted by Pea-n-Me

Don't disagree. But my point was that in the course of his or her job, the Privacy Officer will be discussing this with various people and that in and of itself could be damaging to Dr. Mom's reputation if it's true. I doubt either Dr. Mom or the Privacy officer would jeopardize their jobs by "gossiping".

And I would assume that the people the Privacy Officer discusses it with would understand the importance of confidentiality as well...HR, Nurse Managers, the physician's manager.

[horseshowmom]

Quote:

Originally Posted by FlyingDumbo

I work in a health care facility and people do this all the time. People get fired at least once a year for nosing into someone else's business. Yes, everyone knows not to do it. But it happens everyday. Not everyone gets fired for it, unless a complaint is filed. So I would not be shocked by an MD doing it, I've seen it happen more than once.

File your complaint, it is easy enough to check if she accessed it. She will get fired if she did. And she deserves to get fired. Everyone knows the rules.

Absolutely! I'm not going into detail, but I personally know of a high ranking hospital official (a doctor but in a higher level position) who recently lost their job for doing this very thing. The individual accessed the records, and someone else was made aware of it. A complaint was filed. When the records were checked, it was documented that this person accessed the records.

The individual was fired immediately. I can't imagine risking the salary and prestige this person had, but they did it nonetheless.

[TwingleMum]

Op~ did you ever file a complaint? Did you find out it the girl's Mom accessed your DS's records???

[Pea-n-Me]

Quote:

Originally Posted by chloelovesdisney

No. HIPAA is to protect the patient, it doesn't protect the practioners.

Some information "belongs to" the hospital and doesn't have to be "handed over" or shared, necessarily. It's not clear whether this would be one of these times.

It always amazes me how crystal clear people here are on HIPAA when medical and legal scholars still admit to at times being befuddled by it.

Quote:

Originally Posted by Disney Doll

And I would assume that the people the Privacy Officer discusses it with would understand the importance of confidentiality as well...HR, Nurse Managers, the physician's manager.

In the course of discussion and investigation, word often gets out.

[Pea-n-Me]

Quote:

Originally Posted by MrsToad

It is a specific right under HIPAA that a patient may request an accounting of parties to whom health care information has been disclosed outside the organization, and the hospital or practice must comply in most circumstances (psychotherapy notes, for instance, may sometimes be excluded). The part I'm not so sure of is whether the hospital has to give you a list of everyone within their organization who accessed your record. However, hospitals HAVE been fined when security audit trails confirmed someone on their staff looked at the record of a celebrity, so improper viewing is a serious issue for any hospital.

Another specific patient right under HIPAA is the ability to file a privacy complaint and to have that complaint investigated by the Privacy Officer. So, with both of these rights combined, the OP could, theoretically, file a privacy complaint stating she is concerned someone accessed her sons record without a legitimate reason, even if the hospital doesn't initially agree to show her the access list. The hospital, as part of their investigation, would see the doc's name on the list if she did view the record, recognize that she shouldn't have needed access under "minimum necessary" access rules, and take action, all without the OP providing the doc's name. If no names are outside the scope of this patient's care, cased closed.

I can agree with most of this. The bolded, I'm not sure about. Hospitals can get fined for things that fall under the jurisdiction of the DPH. These are usually Sentinel Events and major violations, and are thankfully rare. I don't know that anyone from outside the hospital investigates unauthorized medical record access on a small scale. It's possible, but I'm not sure. Each hospital has their own Legal department that deals with such matters.

ETA Looking around myself it appears that privacy breeches fall under federal guidelines and on a large scale are investigated by the Dept of Health and Human Services Office of Civil Rights, but in reality, not much is done. States may (or may not) be taking matters into their own hands.

Quote:

Privacy experts say many physicians haven't done much beyond drafting a policy, and enforcement of HIPAA's privacy and security rules has been virtually nonexistent. Enforcement is the responsibility of the Office of Civil Rights, which receives no budget for enforcement activities.

http://www.ama-assn.org/amednews/200...1/bisa1201.htm

Quote:

Protecting yourself

Philip H. Lebowitz, a HIPAA lawyer and partner with Philadelphia-based Duane Morris LLP, said health care entities are unlikely to face criminal sanctions if they have adequate protections in force or are unaware of an unlawful disclosure by an employee.

"If the clinic were on notice or didn't do anything [about the breach], that would potentially cross the line," he said.

Northeast Arkansas Clinic CEO Jim Boswell said the facility has "stringent policies in place to deal with HIPAA violations."

After receiving a complaint from the patient involved, the clinic conducted an internal investigation and immediately terminated Smith, he said. The clinic staff also worked with federal authorities in their probe.

"We will continue to educate and reinforce to our employees the importance of maintaining patient confidentiality," Boswell said.

Even if spared from criminal prosecution, without careful privacy controls, doctors or other covered entities could incur federal civil penalties for being negligent, Lebowitz added. However, the Dept. of Health and Human Services has yet to impose any civil fines.

http://www.ama-assn.org/amednews/200...1/bisa1201.htm

[Acklander]

[QUOTE=Pea-n-Me;47353053

It always amazes me how crystal clear people here are on HIPAA when medical and legal scholars still admit to at times being befuddled by it.


In the course of discussion and investigation, word often gets out.[/QUOTE]

I don't think a legal scholar would be befuddled by an event where a dr from a different hospital accessed the records and then told her teen daughter the results of the tests. Even those with the vaguest of an idea of what HIPAA is, could call this one correctly.

[dakcp2001]

Waiting to hear an update on what the op did and if the other parent accessed the records or not! Let us know!

[horseshowmom]

Quote:

Originally Posted by Acklander

I don't think a legal scholar would be befuddled by an event where a dr from a different hospital accessed the records and then told her teen daughter the results of the tests. Even those with the vaguest of an idea of what HIPAA is, could call this one correctly.

Definitely. If somebody accesses the records who has no medical reason to do so, they will lose their job. Very simple.

[MrsToad]

Quote:

Originally Posted by Pea-n-Me

I can agree with most of this. The bolded, I'm not sure about. Hospitals can get fined for things that fall under the jurisdiction of the DPH. These are usually Sentinel Events and major violations, and are thankfully rare. I don't know that anyone from outside the hospital investigates unauthorized medical record access on a small scale. It's possible, but I'm not sure. Each hospital has their own Legal department that deals with such matters.

ETA Looking around myself it appears that privacy breeches fall under federal guidelines and on a large scale are investigated by the Dept of Health and Human Services Office of Civil Rights, but in reality, not much is done. States may (or may not) be taking matters into their own hands.

I think it was true that not much was done by HHS and OCR in the beginning, but under HITECH, a 2009 act that strengthens HIPAA enforcement, I think enforcement may increase. Here is an article about some incidents and the results - the last example in the article may be the most similar to this situation (if the doc did snoop inappropriately). In addition, the article notes the severity of fines that can be assessed.
http://compliance.med.nyu.edu/news/d...ent-admissions

And to agree with another poster, I can't imagine how any one person can have a full understanding of the HIPAA and HITECH acts!