Monday, July 02, 2007

Mr. Postman

From the comments faaaaar below:

Anonymous said...
My friend works for a large health insurance company and her daughter works at one of the insurance company's key accounts. The daughter sent the mother an email one day asking for some information about a key account coworker. The mother replied that the daughter's request, which had the last name and date of birth of coworker, tripped the PHI filter on the email and the mother had to delete the request. The daughter resends the request with the information 'hidden' within a song of silly words and asks if the stupid filters caught the last name and date of birth that time. The mother replies that it didn't. The mother fabricates a response to the daughter so she would stop asking for this information. A day later the mother was fired from her job because human resources said that she had violated HIPAA. How can HIPAA be violated when the mother did not use the name and date of birth and fabricated her response? HR will not look up the key account woman's information because they claim they would be in violation of HIPAA based on the reason that they have no need to know if real/false medical information was given because their perception of what the mother did is more than necessary for them to have fired her. Is this really how HIPAA works or is someone misreading the rule? Thank you in advance for helping.

As a professionally paranoid security guy I must say that this looks like an attempt to circumvent the safeguards in place. To an outsider this looks like a test run. The mother's best course of action (if truly innocent) was to firmly tell the daughter no, and explain why it was not appropriate to ask, and really not appropriate to try to game the PHI filters. Made up data has an even worse potential for damaging the privacy of the individual than real data. If they were truly innocent of planning skullduggery, then they are both extremely guilty of poor judgemnt and disregard for the rules.
Can't blame this one on HIPAA--- the mother was guilty of circumventing the protections set in place, breaking the security rules of the insurance company, and playing fast and loose with the patient's PHI, fabricated or not. And yes, HR had no reason to review the real PHI, which would have definatly violated the patient's privacy.


Anonymous said...

Thank you for commenting on this strange situation. What has happened since the mother's firing is that mother has been denied unemployment compensation, which has been appealed and will go before an unemployment judge in about a month. The daughter was suspended for one week without pay and ironically received a fifty cent more per hour increase in wages. The mother also contacted the alleged victim by email explaining what had transpired and the woman told the daughter, "Tell your mom it was no big deal...and to not worry about it!" The mother also contacted the HR of daughter's employer by email and explained to the Director what had happened in that fateful email exchange. The HR Director wrote back and explained that their privacy officers agreed that although not a HIPAA violation it was a privacy violation only because of the medium that was used for the communication -- company email. Since HIPAA was not actually violated do you know of any actions that can be taken to have the phrase "HIPAA Violation" expunged from her employment record? Thank you again for responding.

michael said...

Actually I think in her case it would be better to have HIPAA violation rather than privacy violation on her work record. HIPAA violations happen all the time, and can be explained away. With HIPAA most managers would empathize.
Most likely she would have to go through the HR department and request they change it. The only other recourse would most likely involve lawyers and a great deal of expense.
I am apalled that the mother contacted the victim, BTW. This only compounds her obvious disregard for the rules and for the victim's privacy. Perhaps she should seek other work, as she doesn't seem to grasp the importance of patient privacy.

Anonymous said...

You would be surprised at how many different opinions that can be gotten from lawyers in that 'free' half hour before it is determined if a lawyer will take the case. The majority saw it as an IT problem and a poor use of company email. All lawyers concured and blamed IT security because if IT filters really worked, after the initial security popup warning, the email exchange should have been frozen between the mom and daughter. When mom and daughter realized they couldn't chat because of PHI, they'd understand. Subtle and effective.
As for the mother contacting the victim, the victim already was given the mothers name by the insurance company. How is divulging the mother's identity by the insurance company to the victim any less of a privacy violation? The insurance company had to look up the mother's, daughter's, and the victim's addresses to inform the victim. The appearance here is pot calling the kettle black.
I don't think the mother should have to seek a different type of work because of this incident. She should have been flogged with the HIPAA rule, written up and been given time off without pay. The occurence should have been made into a learning experience. Thank you again for commenting.

Anonymous said...

Just a note to follow up on the outcome of this. The mother won her court appeal against the insurance company. In a hearing with an unemployment judge, the judge ruled in favor of the mother! The mother did what she was supposed to have done under HIPAA and the company's own privacy rules. The HR woman took everything out of context when she fired the mother and the judge looked at it chronologically. Putting the situation in the order of how it occurred helped considerably. To top it off, mother got another job in insurance with a competing company!