Thursday, March 30, 2006

Flee from Reality

Here is a case of the police losing track of someone and using the convenient HIPAA excuse. But this time, the hospital isn't having it:

In this case, she said, "hospital police say they have no record of any dealings with law enforcement pertaining to Mr. Pharr." Crayton added that she is not aware of any cases at UNC where HIPAA rules have gotten in the way of officials being notified of a criminal defendant's discharge.

So blame HIPAA for the bad guy getting loose didn't work this time, and I think as more folks become better informed we will see less of this. Too bad, it is such a convenient excuse!

Cops and Robbers

When do you give information to the cops, how much do you give, and are you exposed? I am asked this question at nearly every training I give. Here in the state of Washington, the Hospital Association has published a 30+ page guide for front line and emergency room providers. Your state probably has an organization who has at least explored this. On a national level, the National Center for Policy Analysis has this to say:

Daily in emergency departments and inpatient trauma services, and sporadically in other departments, police officers request permission to interview patients who may have experienced, witnessed or perpetrated crimes ranging from motor vehicle crashes to homicides, says the Journal of the American Medical Association (JAMA).
Decision making by both clinicians and police is unstructured, ad hoc and potentially susceptible to adverse outcomes that might be preventable with appropriate guidance, says JAMA.

The cops, who are after all only trying to do their jobs, will always assert that it is okay for you to tell them anything they want. It is important to remember that their goals and exposure are not the same as yours.


A solid two-part article by Diana Kelley in Search Security called "Become compliant -- without breaking the bank":

Here's some good news: For most companies, the lion's share of tools needed to support control objectives for regulatory compliance are already in house. Before investing a single penny in new technology, assess the ability of what you already have.

A lot of the push-back from management comes from the fear of sticker shock. They have heard of other compliant soutions that have cost tons of money. here is your chance to play the hero--- take them a proposal that is cost-effective. They will be happy to take the credit for it :)

Wednesday, March 15, 2006

Yours Truly, Confused

Gotta love this:

A recent Washington, D.C., case suggests that patient privacy continues to be a concern. The Washington Post reported a week ago on the case of a George Washington University sophomore who checked himself into GW Hospital, depressed and thinking of suicide. Soon afterward he received a letter from the university saying he faced possible suspension or expulsion for violating the code of student conduct.
How did the university learn of the student's condition?
"I'm not able to comment on this story due to HIPAA," said Lisa McDonald, the hospital's director of marketing and business development.

Let me see if I have this straight--- our friend Lisa, who is, so far as I can tell from her title, not the compliance officer, but is instead a PR flack for the hospital, says she can't comment on what is on the face of it an egregious violation of the Privacy Rule, because commenting on a HIPAA violation would be a HIPAA violation?
I love this! Let's see if it works for other things--- "I'm sorry officer, I cannot accept this speeding ticket because by doing so I would be violating HIPAA."
"I know I spent the rent money on poker, honey, but we can't discuss it because I don't want to be in violation of the Privacy Rule."
"You know, the Administrative Simplification Rule sets forth civil penalties as high as $250,000.00, and in light of that, I just can't make my child support payment this month--- can't talk about it, though, HIPAA you know."
See how it works! Give it a try!

All My Exes Live In Texas

Here is a good summary of the dust-up going on in the Appeals Court in Texas over HIPAA privacy, from the Dallas Morning News:

Soon after an overhaul of federal health care privacy laws took effect in April 2004, journalists sometimes found they could not gather information usually taken for granted.
Police, fire and hospitals in some cases were using the law to withhold information on crime and accident victims, even refusing to disclose whether someone was injured and how.
Then in December 2004, Texas Attorney General Gregg Abbott ruled that state public information laws trumped the Federal Health Insurance Portability and Accountability Act, known as HIPAA.
Information already deemed public under state laws would remain that way, Abbott said, calling it the strongest legal opinion on the matter in the country.
But that ruling was soon challenged in court. And nearly a year after oral arguments before the Third Court of Appeals in Austin, freedom of information advocates are still waiting for a decision.

As so often happens, there have been cases where administrators have hidden behind HIPAA to avoid accountiblity. There has also been the usual mis-information that has been such a big part of the push-back against the Privacy Rule, including my favorite, the "We can't ask for prayer for our sick church member in the bulletin" canard.

Thursday, March 09, 2006

After the Flood

Got a disaster plan? Other than running in circles and wailing? You better:

According to government studies, two out of five companies that experience a disaster go out of business within five years. If disaster strikes a medical practice, the practice administrator must ensure that business continues in an efficient manner. Downtime means delayed or inaccessible medical records, which impact patient safety and satisfaction, the practice's reputation as well as decreased revenue and productivity. Additionally, HIPAA mandates contingency plans for practice disasters including backup, storage and recovery.

If there is one thing that current events teaches us, it is that we are on our own in the crunch. If you are going to be able to continue to serve your clients after some catastophic event, whether a hurricane, flood, or the janitor tripping over the power cord and frying your server, you need to have a plan. It isn't just the law--- your patients need their information, and you may be the only source for identifying what "that blue pill I take on Thursdays" really is.

Monday, March 06, 2006

That, that dude looks like a lady

Passed on to you, wishing that I found tips like this one in my in-box every monday.

From: Privacy and the Female Impersonator

...It has to do with the HIPPA laws stating that only the patient or insured involved in the issue may speak with an insurance company or health facility on the phone. So, let’s say a husband is trying to sort something out for a sick wife and calls the insurance company.
“It happened to me,” said Cliff P., a friend who was told by an insurance firm that he could not speak for his wife. So, he hung up, called back and said he was Mrs. P.
Cliff, whose voice is a definite baritone, didn’t even bother to hike up his Jockeys.
“I just told them I was my wife,” he recounts. “They handled the business with no problem. How can they question me? What are they gonna say, my voice isn’t feminine enough? That would be an insult, an invasion of my privacy.”
Note to other spouses in similar situations: this may not be legal or even ethical, but it sounds like it might get the job done.
Note to the authorities: Cliff has left the country to debut his act in a Rio nightclub.

Friday, March 03, 2006

Trust Yourself

This question was forwarded to me the other day:

Any thoughts on this issue?
We're having a bit of confusion in our department. One supervisor says it's not against HIPAA for the MTs to transcribe their own reports or their non-adult child's reports (just not spouse or other extended family members). Other supervisor says it's a direct violation and a terminable offense. Can anybody please verify or clarify this for me, point me in the right direction, provide some concise documentation? Greatly appreciated!

The PHI belongs to the patient and it is never a violation for the patient to view, disclose, or use their own PHI. In the case of a non-adult child, as long as the parent is the child’s representative, the same would apply. Possible exceptions would be mental health notes taken by a therapist or analyst, which belong to the note-taker, or cases where the physician or a court have reason to believe the child is at risk from the parent, or where the parent has waived the right to be the child’s representative, once again usually in mental health situations.

Do you have similar questions? Send 'em in. I'll do my best to answer right away!