My friend works for a large health insurance company and her daughter works at one of the insurance company's key accounts. The daughter sent the mother an email one day asking for some information about a key account coworker. The mother replied that the daughter's request, which had the last name and date of birth of coworker, tripped the PHI filter on the email and the mother had to delete the request. The daughter resends the request with the information 'hidden' within a song of silly words and asks if the stupid filters caught the last name and date of birth that time. The mother replies that it didn't. The mother fabricates a response to the daughter so she would stop asking for this information. A day later the mother was fired from her job because human resources said that she had violated HIPAA. How can HIPAA be violated when the mother did not use the name and date of birth and fabricated her response? HR will not look up the key account woman's information because they claim they would be in violation of HIPAA based on the reason that they have no need to know if real/false medical information was given because their perception of what the mother did is more than necessary for them to have fired her. Is this really how HIPAA works or is someone misreading the rule? Thank you in advance for helping.
As a professionally paranoid security guy I must say that this looks like an attempt to circumvent the safeguards in place. To an outsider this looks like a test run. The mother's best course of action (if truly innocent) was to firmly tell the daughter no, and explain why it was not appropriate to ask, and really not appropriate to try to game the PHI filters. Made up data has an even worse potential for damaging the privacy of the individual than real data. If they were truly innocent of planning skullduggery, then they are both extremely guilty of poor judgemnt and disregard for the rules.
Can't blame this one on HIPAA--- the mother was guilty of circumventing the protections set in place, breaking the security rules of the insurance company, and playing fast and loose with the patient's PHI, fabricated or not. And yes, HR had no reason to review the real PHI, which would have definatly violated the patient's privacy.