Advice about HIPAA issue

[Pea-n-Me]

It is a specific right under HIPAA that a patient may request an accounting of parties to whom health care information has been disclosed outside the organization, and the hospital or practice must comply in most circumstances (psychotherapy notes, for instance, may sometimes be excluded). The part I'm not so sure of is whether the hospital has to give you a list of everyone within their organization who accessed your record. However, hospitals HAVE been fined when security audit trails confirmed someone on their staff looked at the record of a celebrity, so improper viewing is a serious issue for any hospital.

Another specific patient right under HIPAA is the ability to file a privacy complaint and to have that complaint investigated by the Privacy Officer. So, with both of these rights combined, the OP could, theoretically, file a privacy complaint stating she is concerned someone accessed her sons record without a legitimate reason, even if the hospital doesn't initially agree to show her the access list. The hospital, as part of their investigation, would see the doc's name on the list if she did view the record, recognize that she shouldn't have needed access under "minimum necessary" access rules, and take action, all without the OP providing the doc's name. If no names are outside the scope of this patient's care, cased closed.

I can agree with most of this. The bolded, I'm not sure about. Hospitals can get fined for things that fall under the jurisdiction of the DPH. These are usually Sentinel Events and major violations, and are thankfully rare. I don't know that anyone from outside the hospital investigates unauthorized medical record access on a small scale. It's possible, but I'm not sure. Each hospital has their own Legal department that deals with such matters.

ETA Looking around myself it appears that privacy breeches fall under federal guidelines and on a large scale are investigated by the Dept of Health and Human Services Office of Civil Rights, but in reality, not much is done. States may (or may not) be taking matters into their own hands.

Privacy experts say many physicians haven't done much beyond drafting a policy, and enforcement of HIPAA's privacy and security rules has been virtually nonexistent. Enforcement is the responsibility of the Office of Civil Rights, which receives no budget for enforcement activities.

http://www.ama-assn.org/amednews/2008/12/01/bisa1201.htm

Protecting yourself

Philip H. Lebowitz, a HIPAA lawyer and partner with Philadelphia-based Duane Morris LLP, said health care entities are unlikely to face criminal sanctions if they have adequate protections in force or are unaware of an unlawful disclosure by an employee.

"If the clinic were on notice or didn't do anything [about the breach], that would potentially cross the line," he said.

Northeast Arkansas Clinic CEO Jim Boswell said the facility has "stringent policies in place to deal with HIPAA violations."

After receiving a complaint from the patient involved, the clinic conducted an internal investigation and immediately terminated Smith, he said. The clinic staff also worked with federal authorities in their probe.

"We will continue to educate and reinforce to our employees the importance of maintaining patient confidentiality," Boswell said.

Even if spared from criminal prosecution, without careful privacy controls, doctors or other covered entities could incur federal civil penalties for being negligent, Lebowitz added. However, the Dept. of Health and Human Services has yet to impose any civil fines.

http://www.ama-assn.org/amednews/2008/12/01/bisa1201.htm

 

[Acklander]

I don't think a legal scholar would be befuddled by an event where a dr from a different hospital accessed the records and then told her teen daughter the results of the tests. Even those with the vaguest of an idea of what HIPAA is, could call this one correctly.

 

[dakcp2001]

Waiting to hear an update on what the op did and if the other parent accessed the records or not! Let us know!

 

[horseshowmom]

I don't think a legal scholar would be befuddled by an event where a dr from a different hospital accessed the records and then told her teen daughter the results of the tests. Even those with the vaguest of an idea of what HIPAA is, could call this one correctly.

Definitely. If somebody accesses the records who has no medical reason to do so, they will lose their job. Very simple.

 

[MrsToad]

I can agree with most of this. The bolded, I'm not sure about. Hospitals can get fined for things that fall under the jurisdiction of the DPH. These are usually Sentinel Events and major violations, and are thankfully rare. I don't know that anyone from outside the hospital investigates unauthorized medical record access on a small scale. It's possible, but I'm not sure. Each hospital has their own Legal department that deals with such matters.

ETA Looking around myself it appears that privacy breeches fall under federal guidelines and on a large scale are investigated by the Dept of Health and Human Services Office of Civil Rights, but in reality, not much is done. States may (or may not) be taking matters into their own hands.

I think it was true that not much was done by HHS and OCR in the beginning, but under HITECH, a 2009 act that strengthens HIPAA enforcement, I think enforcement may increase. Here is an article about some incidents and the results - the last example in the article may be the most similar to this situation (if the doc did snoop inappropriately). In addition, the article notes the severity of fines that can be assessed.
http://compliance.med.nyu.edu/news/documenting-inpatient-admissions

And to agree with another poster, I can't imagine how any one person can have a full understanding of the HIPAA and HITECH acts!

 

[chloelovesdisney]

Some information "belongs to" the hospital and doesn't have to be "handed over" or shared, necessarily. It's not clear whether this would be one of these times.

It always amazes me how crystal clear people here are on HIPAA when medical and legal scholars still admit to at times being befuddled by it.


In the course of discussion and investigation, word often gets out.

I've been contacted regarding whether or not staff had legitimate reason to be in a patient's chart, it's always been made clear that it's a confidential matter.

The only patient information in a chart that I know of that isn't released to patients are incident reports. Research records may also be restricted in some cases, but that's disclosed to patients, and are kept separately from patient medical records.

Personally I don't care for the HIPAA rules and wish they would throw them out and greatly simplify them, but the government likes things complicated.

 

[Pea-n-Me]

I think it was true that not much was done by HHS and OCR in the beginning, but under HITECH, a 2009 act that strengthens HIPAA enforcement, I think enforcement may increase. Here is an article about some incidents and the results - the last example in the article may be the most similar to this situation (if the doc did snoop inappropriately). In addition, the article notes the severity of fines that can be assessed.
http://compliance.med.nyu.edu/news/documenting-inpatient-admissions

I am familiar with the HITECH Act. It clarifies some of the issues which were unclear before. (Though some still refer to it as being unclear. ) Regulators wanted something in place prior to national health care getting underway, for coordination, and they also want everyone to have electronic medical records in place in large part for tracking data. What I get from it primarily is that they want medical organizations to have strict policies, safeguards and training in place and if they don't they are subject to liability; and that although unauthorized access to a medical record in an organization - such as the situation in the OP - is addressed, they seem to be far more concerned about large scale data breaches. Penalties imposed seem to hinge in large part on whether safeguards were in place. And as previously, fines and/or discipline seems dependent on many factors; it's not always black and white. In the last example in the link above, it's funny how the doctor got priveleges suspended for two weeks but two other non-doctors got fired. That's the thing - it depends. But no, I don't think anyone would argue that inappropriate access to a medical record by a snooper is ok. I still don't know if we've discovered the answer of whether the hospital has to give up that information to the record holder (possibly); it does appear to have to be reported to the DHUS and I suppose record holders could get it that way if the hospital didn't want to give it directly. Curious to see how it works out for the OP if she comes back.

E-Med Records Privacy: A False Sense Of Security http://www.acluvt.org/blog/2012/11/14/e-med-records-privacy-a-false-sense-of-security/

What is a Breach Under the HITECH Breach Notification Regulations http://www.americanbar.org/newslett...e_home/aba_health_law_esource_0512_eisen.html

 

[npmommie]

Yes the consumer absolutely has the right to get a list of who their health record was shared with and why.
So if there is an electronic trail of who accessed info they will have to tell.

 

[Disney Doll]

I guess I am assuming every insitution functions like mine does, which I probably shouldn't assume.

In my institution they take possible privacy breaches very seriously. The Privacy Offier does their job in a confidential manner and does not discuss it in the cafeteria or with their work BFF. The people who need to be involved in the investigation are made very well aware of the importance of keeping the matter confidential for the reason stated above...you don't want to ruin someone's reputation by blabbing about a privacy investigation where you could find out that there is no breach.

Realisitically everyone involved in the investigation in any way is made well aware that if they breach anyone's confidentiality (patient, RN,MD or anyone else who may be subject to the investigation) by discussing the investigation outside of its "official" compact, that they are subjected to disciplinary action as well, up to and including termination.

It's pretty cut & dried that it's not information for the institution's "grapevine".

 

[keetmommy]

I hWope OP comes back soon and updates!

 

[Princess Dolly]

I hWope OP comes back soon and updates!

I wouldn't hold my breath.

 

[Caropooh]

I hWope OP comes back soon and updates!

Well, it will 2 weeks on THursday since she started the thread. She hasn't posted on the thread (or the DIS) since Saturday the 26th. My bets are on that she won't be updating...