Friday, March 09, 2007

Mr. Postman

From the comment section, below:

Anyone, please point me to right direction. My niece married to a doctor who later turned out to be a jerk. My niece finally gave up and filed for divorce. While the divorce is still pending he disclosed some very sensitive health information of her wife to like half of the town. Somebody told us to file a HIPAA complaint but we are not sure if it falls under that law? where to start from and what should we expect from HIPAA's end?
Thanks in advance for your help.

HIPAA will only apply if the doctor was also her caregiver. Information gathered and shared as a spouse is not covered, and the fact of his being a doctor will not automatically make him a covered entity.
Although things are looking better, enforcement has been very lax under the current administration. You might inquire, though, and other local privacy laws may apply.
The complaint process is here:
Good Luck!

Friday, March 02, 2007

Easy Does It

Here is what happens when HIPAA training happens in a calm and sensible manner:

Although people might complain about HIPAA requirements I no longer feel that they have a leg to stand on. There is nothing outrageous in these requirements (except maybe one or two really quirky things) and the only real problem will be the way that the auditors interpret the HIPAA standards and how they are applied within an organization. Of course this is true of any standard. There will always be a negotiation of the level of protections compared to the risks involved. My personal feeling is that through HIPAA we have a standard, a overall policy, that is applicable to these specific organizations. We can point to these standards to when the organization fails to adequately protect the sensitive information with which they are entrusted.

See? It wasn't that difficult, now was it?

Thursday, March 01, 2007

One (hu)'man One Vote

This is wrong in so many ways! Professional breach, HIPAA violation and most likely election law violation too. (My wife is a candidate for city council here on the opposite corner of the country, and while state laws vary, the allowable sources of voter information are usually pretty narrow.)

In her zeal to drum up votes for her husband, Loretta Jason said she used the customer list at Publix's pharmacy, where she works, to get the unlisted home number of a Dania Beach family to ask for their votes in the city's Feb. 13 primary

I have a great deal of sympathy for the poor lady, who after all was just trying to help her husband make a difference. Still, some pretty poor judgement on her part, poor enough that I tend to think she wasn't entirely unaware, and perhaps just didn't think she would get caught.

Street Fighting Man

Yes, HIPAA does mandate the assault of photographers, if Mr. Moon is to be believed:

During the pandemic drill on November 30, Mr. Sharpe approached news photographer Chip Moon from behind without warning, grabbed the photographer's arm and pulled him across the room to a Hudson police officer, demanding that the officer confiscate Mr. Moon's equipment and destroy any images in his camera.
The Independent had assigned Mr. Moon to photograph the event and had received advance clearance from the county Health Department. When a Health Department official at the site confirmed that Mr. Moon was authorized to be at the event, Mr. Sharpe left the room without any explanation.
According to the stipulation, in addition to serving a 30-calendar-day suspension without pay and issuing a statement expressing regret for his actions, Mr. Sharpe waives any right to a hearing. He acknowledges that he was offered the opportunity to consult with an attorney.
In his statement, Mr. Sharpe says at the time of the incident he had received a radio message that there was a breach of security by a photographer inside the school. "Due to the fact that established protocol was altered, I was unaware that the photographer had been given access and permission to take photos," he writes. "Being mindful of HIPAA rules and regulations, my actions were two-fold: 1) to protect the privacy of the person receiving the flu inoculation and 2) to protect the County from possible Federal HIPAA Law violation." HIPPA refers to the federal Health Insurance Portability and Accountability Act, part of which protects the confidentiality of patient records.

It is gratifying to learn that, as much as I love HIPAA and all of the many things it allows, that there is someone out there even more concerned about the privacy of others, enough so that he was ready to throw his body in the path of the rogue photographer in question and manhandle him away from the exposed vaccinationees!

Start Me Up

Jury returns guilty verdict in first HIPAA trial
The owner of a Florida claims handling company has been convicted of conspiracy to commit fraud, computer fraud, identity theft related to the use patient information from a local medical clinic, and violating the Health Insurance Portability and Accountability Act (HIPAA) through wrongful disclosure of personally identifiable health information. This HIPAA prosecution was the first HIPAA violation case that has gone to trial in the U.S., according to the Department of Justice (DOJ).

Identity theft and Medicare fraud. Fernando Ferrer, Jr., the owner of Advanced Medical Claims, Inc., purchased patient information from a former Cleveland Clinic employee. According to the indictment, the clinic employee accessed the clinic's computer system to download the personal identification information of more than 1,100 of the clinic's patients and sold the information to Ferrer. Ferrer then provided the information to others who used it to file fraudulent claims for Medicare reimbursement. The theft resulted in the submission of more than $7 million in fraudulent Medicare claims, with approximately $2.5 million paid to providers and suppliers.

Possible sentence. At sentencing, Ferrer faces statutory maximum prison terms of five years on the conspiracy count, five years on the computer fraud count, ten years on the wrongful disclosure of individually identifiable health information count, and two years on each count of aggravated identity theft. In addition, he may be required to pay fines totaling $750,000.

DOJ Press Release, Jan. 24, 2007. From CCH Healthcare.

What's Goin' On

Can anybody make sense of this? Something is off, but there just isn't enough infrormation as to what exactly is going on:
In one case, Mary Dykton, a rehab patient at St. Vincent since her 2003 elective open-heart surgery in Albuquerque, came to know and respect Andermann over the course of regular visits to the hospital gym. When Andermann departed suddenly for England, Dykton asked gym staff for news about Andermann and her father’s health. In doing so, she told one hospital staffer “that I knew what was going on.” Dykton says her comment was in reference to Andermann’s father’s health. But it was interpreted to mean that Dykton, a patient, knew about the hospital’s disciplinary action against Andermann.

In a Jan. 8 letter to St. Vincent CEO Alex Valdez, Dykton refutes the allegation that Andermann ever divulged inappropriate information to her. According to Dykton, Valdez has yet to respond to the letter.

Another former cardiac rehab patient, Santa Fe attorney Jeff Brannen, became a gym regular “because you get to know the people who work there, not because the gym is a great place.”

But after Andermann approached Brannen “as a friend” for a lawyer referral, “Someone there from cardio rehab recognized me as a patient, and apparently by giving her the name of another attorney, that somehow constituted independent grounds for termination,” Brannen says, shaking his head in disbelief.