Pea-n-Me
DIS Veteran
- Joined
- Jul 18, 2004
I can agree with most of this. The bolded, I'm not sure about. Hospitals can get fined for things that fall under the jurisdiction of the DPH. These are usually Sentinel Events and major violations, and are thankfully rare. I don't know that anyone from outside the hospital investigates unauthorized medical record access on a small scale. It's possible, but I'm not sure. Each hospital has their own Legal department that deals with such matters.It is a specific right under HIPAA that a patient may request an accounting of parties to whom health care information has been disclosed outside the organization, and the hospital or practice must comply in most circumstances (psychotherapy notes, for instance, may sometimes be excluded). The part I'm not so sure of is whether the hospital has to give you a list of everyone within their organization who accessed your record. However, hospitals HAVE been fined when security audit trails confirmed someone on their staff looked at the record of a celebrity, so improper viewing is a serious issue for any hospital.
Another specific patient right under HIPAA is the ability to file a privacy complaint and to have that complaint investigated by the Privacy Officer. So, with both of these rights combined, the OP could, theoretically, file a privacy complaint stating she is concerned someone accessed her sons record without a legitimate reason, even if the hospital doesn't initially agree to show her the access list. The hospital, as part of their investigation, would see the doc's name on the list if she did view the record, recognize that she shouldn't have needed access under "minimum necessary" access rules, and take action, all without the OP providing the doc's name. If no names are outside the scope of this patient's care, cased closed.
ETA Looking around myself it appears that privacy breeches fall under federal guidelines and on a large scale are investigated by the Dept of Health and Human Services Office of Civil Rights, but in reality, not much is done. States may (or may not) be taking matters into their own hands.
Privacy experts say many physicians haven't done much beyond drafting a policy, and enforcement of HIPAA's privacy and security rules has been virtually nonexistent. Enforcement is the responsibility of the Office of Civil Rights, which receives no budget for enforcement activities.
http://www.ama-assn.org/amednews/2008/12/01/bisa1201.htm
Protecting yourself
Philip H. Lebowitz, a HIPAA lawyer and partner with Philadelphia-based Duane Morris LLP, said health care entities are unlikely to face criminal sanctions if they have adequate protections in force or are unaware of an unlawful disclosure by an employee.
"If the clinic were on notice or didn't do anything [about the breach], that would potentially cross the line," he said.
Northeast Arkansas Clinic CEO Jim Boswell said the facility has "stringent policies in place to deal with HIPAA violations."
After receiving a complaint from the patient involved, the clinic conducted an internal investigation and immediately terminated Smith, he said. The clinic staff also worked with federal authorities in their probe.
"We will continue to educate and reinforce to our employees the importance of maintaining patient confidentiality," Boswell said.
Even if spared from criminal prosecution, without careful privacy controls, doctors or other covered entities could incur federal civil penalties for being negligent, Lebowitz added. However, the Dept. of Health and Human Services has yet to impose any civil fines.
http://www.ama-assn.org/amednews/2008/12/01/bisa1201.htm