Pages

Sunday, November 11, 2007

Information Transfer Violations
The main thrust of HIPAA

We need to include this as well. I will be posting references.

76 comments:

Joel Sherman said...

There are many horror stories available such as people losing their jobs because of the release of medical information to their employers or being denied employment. The topic of the taking of pictures and videos without prior permission in another thread is also pertinent. I also object greatly to the permission to release all records to 'business associates', which could be anyone. Drug companies are routinely able to contact patients directly because of this.
Here's a link to a site dedicated to these problems:
Patient Privacy Rights.

Joel Sherman said...

For those of you who think that HIPAA protects your privacy, think again.
Under expanded rules, HIPAA does more to protect commercial interests than privacy.
Take a look at this. I fully agree with it:
One doctor's view.

Joel Sherman said...

Here's a story about a report from a government panel for strengthening privacy rights and downplaying HIPAA.
I think the recommendations sound good, though they are not fully listed. But they still don't address the biggest fault in HIPAA regulations that of giving full access to business associates some of whom could be in foreign countries and not subject to any US law.

Joel Sherman said...

Here's an interesting report of a striking HIPAA violation leveled against Amgen corporation. Two sales representatives who were fired are suing claiming that Amgen wanted them to go through doctors confidential files to identify patients with psoriasis who could be referred for treatment with their drug Embrel.
Surprisingly stories like this tend to make their way first to financial markets, the Wall Street Journal is a good source, before they make medical journals.

Joel Sherman said...

One of my main complaints against HIPAA regulations is that they make it legal for a drug company to monitor physicians’ prescriptions so that they can better target patients. New Hampshire tried to outlaw it, but the industry is appealing and may win. Here's a brief review of the story.

Joel Sherman said...

There have been lots more articles on Amgen's violation of HIPAA laws trying to push their very expensive new drug Enbrel for psoriasis. There have been no new developments though.
Here's one brief article.
This story is a particularly egregious violation and gives further fuel to my beliefs that pharmacy companies should be bared from any access to patients. Big pharma has much too much power in Washington.
I hope to follow this case carefully, though it will probably take years.

Joel Sherman said...

Here's an article with fuller details on the Amgen and Enbrel story.
The federal government needs to bring separate action against the company as only they can penalize for HIPAA violations.

Joel Sherman said...

In a similar vein, Congress is being pushed to mandate electronic prescribing. I believe its possible benefits are counterbalanced by the huge threat to patient privacy. If we can't keep the pharmacy companies out of our personal information now, just think what they would do with this? I can't imagine how e-prescribing could be protected when so little electronic info has adequate protection now.
The same can be said for electronic medical records (EMR) once they’re available online. Here’s a reference for that.

Joel Sherman said...

Here's a quote from a 2003 federal statement:

Prohibition on Marketing. The final privacy rule sets new restrictions and limits on the use of patient information for marketing purposes. Pharmacies, health plans and other covered entities must first obtain an individual's specific authorization before disclosing their patient information for marketing. At the same time, the rule permits doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.


How can they possibly mesh these rules with what Amgen and other big pharma companies are doing?

Joel Sherman said...

This is not a new issue, but many are likely not aware of it. Some physicians send their transcriptions overseas to countries such as India to get records emailed back quickly and inexpensively. Even worse, some hospitals send digital x-rays to India as well to get back stat readings in the middle of the night for ER patients so their own radiologists don't have to get up.
There may be nothing wrong with the quality of the work, but US privacy standards (and liability)are clearly at risk in such an arrangement with the well known case of a transcriptionist from the Philippines who threatened to post all records on the web unless she got paid promptly.

Joel Sherman said...

How's this for a scary thought? Microsoft is thinking of selling software that would enable employers to monitor their workers heart rate, emotions et al.
Do you trust Microsoft who by making faulty software is the prime enablers of internet viruses and fraud, to protect your privacy?

Joel Sherman said...

The problem of medical identity theft is related but separate. It's apparently a bigger problem than I was aware of. Your medical identity can be stolen and used to pay for services for someone else under your name or alternatively by dishonest or phony providers to bill for extra services you never received. Either way it's damaging both to you and to the system as a whole.

Joel Sherman said...

Here's another horrible story. They don't seem to be hard to find.
Blue Cross of California has been sending physicians copies of their patients' insurance applications and asking the doctors to notify them if their records show any other unreported undisclosed illnesses that the insurer could use to cancel their policies.
It always amazes me that so many people find nothing wrong with our profit motivated insurance system of private health coverage.

Joel Sherman said...

This reference expresses the California physician's outrage (and mine) more clearly.

Joel Sherman said...

Here's an expose summarizing what's been in the news recently that HIPAA despite over 30000 complaints filed has never prosecuted a single case. I'm not sure that's strictly accurate, but it's close enough.
As a physician who has to deal with all the absurd paper work it generates, I'm sympathetic to inadvertent violations. But the federal agency goes well beyond this, also ignoring systematic abuses by large corporations and pharmaceuticals. They’ve promised to start investigating and enforcing, but nothing has happened yet.

Joel Sherman said...

This article doesn't mention HIPAA at all, it's about electronic medical records (EMR). But the biggest problem with universally accessible EMR is the difficulty protecting patient privacy under HIPAA regulations.
This article discusses an attempt by Google to coordinate EMR with the Cleveland Clinic. It's a huge endeavor.
I personally have no interest in EMR for my solo practice. I would never be able to recoup the startup expenses and the benefits to my practice would be minimal. What's needed is a federally approved and subsidized universal system that's applicable over the nation, between doctor's offices and hospitals. (There’s no reason why physicians and hospitals should have to bear this burden.) We're a long way from that despite repeated grumblings coming out of Congress. Maybe Google is big enough and competent enough to do better, but I wouldn't bet on it.

Joel Sherman said...

Another reference on the same topic of Google working on health information transfers.
This reference rightly points out that Google is not a covered entity under present HIPAA regulations and doesn't have a very good track record on privacy concerns. Yahoo certainly didn't mind releasing names to the Chinese government resulting in the arrests of dissidents. I believe that Google was also implicated in these accusations.

Joel Sherman said...

This is not directly related to patient privacy but it is such a huge abuse that I just have to comment on it.
Here's a reference to the California insurer, Health Net, who retroactively cancelled a patient's insurance while she was engaged in treatment for breast cancer. The reason wasn't that she hid her cancer diagnosis; the company claimed she underestimated her weight and didn't mention some heart problem. The insurance agent was paid a bonus for canceling the policy. In my state and others, insurers are forbidden from reviewing policy applications after a certain length of time. Certainly a cancellation can only be justified if the condition being treated was purposely hidden.
Health Net was fined 9 million, a judgment which is certainly appropriate. These abuses will continue to occur as long as the profit motive rules insurance companies. Only a federal single payer system is likely to curb these abuses IMO.

Joel Sherman said...

Here's a bill being presented in Washington State to prevent drug companies from 'mining' doctors and pharmacies records so that they can better target advertising to patients. It is already law in 3 states but courts have overturned it in two of them, according to this article.
I strongly believe that this prohibition should be made part of HIPAA laws. It's very unlikely to happen though, especially under this administration.

Joel Sherman said...

Here's a pretty good short summary of the limits of patient privacy rights under present HIPAA regulations from New Hampshire.
HIPAA really does more to facilitate the transfer of patient records than it does to safeguard them. There is little hope that records are really private as long as all associate business entities that are not covered directly under HIPAA can access them.

Joel Sherman said...

A follow up on Google and your health information.
This article makes it sound like Google will put the patient in complete control of his medical information and that Google will make no money off it. I'm highly skeptical.
If others can access the info (and they have to for the info to be of any use), how will you prevent them from doing what they want with it? When you couple this with the fact that Google is not even covered by HIPAA (a minimal guarantee), my bet is strong that this info will once again just make its way to insurance companies and big pharma.

Joel Sherman said...

Here's another update on the Amgen Enbrel investigation. The link for the last update I gave has expired.
I still find this alleged abuse incredible.

Joel Sherman said...

The biggest potential danger of electronic medical records is not that big pharmaceutical companies are going to target you with unwanted ads, but that identity thieves will break into the database and steal your personal information including social security numbers. This could lead to all kinds of credit problems for you which can take years to sort out if ever.
Here's an article which discusses it with further references given. HIPAA won't protect you from unwanted use of your records. They make it legal for corporations to contact patients with unwanted advertisements, and no one can stop the illegal access to online databases.

Joel Sherman said...

Here's a reference praising the VA's use of electronic medical records, apparently throughout the national veterans system.
I do believe that this system does indeed promise great benefits for veterans making their records easily available no matter where they pop up in the system. And privacy and HIPAA concerns are minimized when this is a non commercial federal system without hopefully pharmaceutical companies and others being able to data mine the system.
Still the article glosses over some problems. It is indeed nice not to have to struggle over illegible writing, but on the other hand, the reports have to be dictated and then typed into the system, an expensive and cumbersome process. I have also been in hospitals where the nursing staff now spends over half their time caring for computers with the vast data input needed, and spending that much less time with patients.

Joel Sherman said...

Here's the AMA's take on the aforementioned case in California of insurers canceling policies after they start getting big bills. If I had the power, I'd be tempted to fine Health Net into oblivion. My own personal experience with them as a physician has been horrible too.
IMO insurance companies should be absolutely banned from ever rescinding a policy unless they can 1) show fraud on the policy holder's part, 2) relate this fraud to the current claim, and 3) abide by a reasonable time limit such as 6 months to challenge any policy.

Joel Sherman said...

Here's an article about a Texas law which will make medical records of employees available to their employers. Although names will not be given, dates of hospitalizations and treatments will be available making it easy for an employer to figure out who is charging up big bills to their health plan. Needless to say that employee’s job would be in danger. This law might not even be a violation of HIPAA as identities are thinly disguised. Why do employers need any medical details to estimate what their health costs may run, which is the justification given for the law? They know what their costs have been.
In my longer view though, I think the whole system of employer funded health insurance is faulty. Health coverage should be something everyone can obtain, not just those that have good jobs.

Joel Sherman said...

An interesting article about data transfer and privacy. It's applicable to lots more than medicine as it points out the conflicts in laws when information is transferred between the USA and Europe.

Joel Sherman said...

Apparently genetic information used to discriminate against patients is not presently covered under HIPAA. A bill is pending in Congress to extend HIPAA for this, but its fate is not certain.
Here's an article about the problem.

Joel Sherman said...

Here's another article about HIPAA regulations and enforcement procedures. Enforcement has been very lax, but uneven. Inadvertent violations by medical personnel don't require a lot of enforcement but egregious violations by personnel such as in the Spears and Fawcett cases should as well as identity theft violations. There has been no federal enforcement of these violations.
Of course the major 'violations' are legal, the data mining for commercial purposes of medical information by big pharma and others.

Joel Sherman said...

Here's an article which outlines what you can do as an individual under HIPAA if your privacy is violated. As you cannot sue directly under HIPAA, your responses are limited.

Joel Sherman said...

I've tended to ignore Hollywood based stories as they are so often unrelated to the 'real' world of the rest of us. But the HIPAA violations at UCLA are pertinent. I believe that violations of privacy by employees in hospitals are likely fairly common, and the more famous the patient, the more common they are. Here's a NY Times reference.
All hospital based computer systems that I have encountered maintain audit trails of who looks at what so I can't understand how this employee could have looked at over 60 patients until someone got wise to her. I suspect that the hospital was indeed at fault here and sanctions are warranted. Maybe you can't expect isolated violations to be picked up, but you would think that a hospital that treats many celebrities would keep a closer watch on it.

Joel Sherman said...

An article documenting that physicians who violated Spears privacy at UCLA were punished less than lower level employees. No justification for that except the inevitable that people with greater power and importance can protect themselves better.
I would think that they all should have the same penalties, probably a several week suspension unless they sold or released information in which case they should be fired and subject to criminal penalties.

Joel Sherman said...

Here's an account of a nurse convicted of a HIPAA violation for turning patient data over to her husband who used it for blackmail. Cases like this need to be vigorously prosecuted. But I don't think that turning the data over to big corporations so that they can entice patients to use what they're selling is so different in kind. And doing that is legal.

Joel Sherman said...

For reference, here's a federal summary of HIPAA violations by year and state. It's broken down into categories of violations without the specific incidents being listed.

Joel Sherman said...

There's really not too much new on the Amgen Enbrel case where Amgen sent drug reps into doctor's offices to go through medical records to try to get the patient started on their anti-psoriasis drug Enbrel. For many of these patients with mild psoriasis the drug was not even indicated according to the FDA approved labeling.
I think this case is one of the worst pharmaceutical drug company abuses that have come to light. This article gives a good summary. The case has not yet come to litigation. If the facts as given are upheld, I think there should be criminal penalties and large fines. The chance of that happening is slim.

Joel Sherman said...

Here's a quasi legal violation of patients' privacy which I never thought about but have seen enough of. Hospitals use your information to contact you for fund raising. They are now not supposed to use anything more than your name and address, but some may violate this by sending you cancer appeals if they've treated you for cancer for example. This may sound benign but the information gets shared with other parties whose job is fund raising, not health care.

Joel Sherman said...

Here's a much needed House proposal to include more protection for privacy when companies share your information with their 'associates.' A proposal is a long way from a law however.

Joel Sherman said...

Here is a well balanced article outlining the strengths and weaknesses of current HIPAA regulations.
It's true the original act brought concerns about patient privacy to the fore, but it has never been updated to our digital age and still gives far too much access to 'associates.'

Joel Sherman said...

Here's a step in the wrong direction. The California senate has passed a bill allowing pharmacies to pass/? sell prescription information to third parties so that they can send drug information and reminders directly to the patient. There are significant restrictions on the use of the information to appease privacy advocates, but still the bill is a bad precedent which could be expanded. No penalties are listed for violating the restrictions which needs to be part of it.

Joel Sherman said...

Do you know what Farrah Fawcett, Tom Cruise and Paula Abdul have in common?
Well their medical records were all stolen at UCLA Hospital.
Here's an interesting article about that.

Joel Sherman said...

This doesn't neatly fit into any topic here, but is worth alluding to.

A current article in JAMA which I can't freely link to or reprint talks about the use of web based sites to recruit patients into clinical trials. It's an unknown area. These sites ask for clinical information, but are not covered by HIPAA or any other regulation so it's hard to know what risks you may be exposing yourself to.

The reference is:
Bridget M. Kuehn, Companies Use of Web to Recruit Patients for Studies Brings Opportunities, Risks. JAMA. 2008;299(23):2733-2734 (doi:10.1001/jama.299.23.2733)

Joel Sherman said...

This story is scary to me. Stolen America medical data was found on servers in Malaysia and Argentina. The theft was based on Citrix data which is a system that my local hospitals use. It's not given where this info was stolen from, if it is known.
This problem can only get worse.

Joel Sherman said...

Here's a rare criminal prosecution of a HIPAA violation. A clinic nurse turned over medical records of a patient to her lawyer husband who threatened to use them in a case he had pending against the patient. The nurse has pleaded guilty but apparently not been sentenced yet.

Joel Sherman said...

One of the problems with HIPAA laws is that they are complicated enough that they're easy to misinterpret. It is legal to transfer information without consent in emergencies when consent is not obtainable. But HIPAA is often cited as a reason why information can't be given. Sometimes this is just an excuse for not wanting to be bothered, but more often it is just a misunderstanding of the laws.
The bottom line is that penalties for violating HIPAA are rare and major fines almost never happen. Criminal prosecution happens even less.
Here are three cases where HIPAA was the excuse for not sending information.

Joel Sherman said...

This is not clearly a HIPAA violation, but it should be. This kind of violation is what privacy rights groups are yelling about.
You could be denied insurance because insurance companies may have access to online pharmaceutical databases which reveal who takes what. Take meds for depression or anxiety? They may not want to insure you.
These kinds of violations which are not clearly illegal take place all the time.

Joel Sherman said...

This article describes HIPAA violations in Iowa, a patient's medical history being published in a local paper.
It reminds me of a time many years ago when we were driving through rural Pennsylvania and heard a local radio station announcing the admissions and discharges from the local hospital! Hopefully that couldn't happen today, but who knows?

Joel Sherman said...

Several recent articles have stated that hospitals and other covered entities don't have to report internal violations of HIPAA. I'm not sure how you define that. Most violations start out as internal such as all the UCLA violations. What happens after that is difficult for anyone to control.

Joel Sherman said...

Here's a nice little resume about how signing that nice HIPAA form when you visit a doctor doesn't protect your privacy. More likely all it does is tell you who they can share your information with without any further permission. Most of these covered entities are quite reasonable for billing and other medical purposes but once the information gets sent out it can be hard to control.

Joel Sherman said...

The California legislature is proposing a bill to further protect patients' medical records after multiple documented abuses at UCLA Hospital.
This surely is a good idea as privacy is only poorly and sporadically enforced on a federal level and more protection is needed.
I only hope they can accomplish this without the immense useless deluge of paper work that accompanied the passage of HIPAA covering physicians' offices which required signed forms every year from every patient. That was overkill. Nobody read them again and it achieved nothing. We need rational enforcement of abuses not paper work paralysis.

Joel Sherman said...

Here's a new twist I haven't heard of before. Apparently prerecorded telemarketing messages are mostly banned, but there is a specific exemption if the company is covered under HIPAA laws. The idea of this is so that these companies can announce recalls, warnings etc. But I wonder if they usually use the exemption to sell something else. If there's more info available I'll post it.

Joel Sherman said...

Here's a story about a different aspect of the problem with HIPAA. Institutions sometimes use it as an excuse to prevent access or threaten people, often without any understanding of HIPAA laws.

Worse yet, when a fed-up family member snapped a cell-phone photo of a poop-stained towel one staff member left on the floor, management team called it a HIPAA violation and banned them from the building and threated to call the police. Excuse me, since when was taking a photo of poo a HIPAA violation? Can you spot protected health information on dirty linen? I sure can't. It's a good thing, too. Otherwise scam artists would be cracking open septic tanks instead of mailboxes.

The article is interesting if you want to read about poor care in nursing homes.

Joel Sherman said...

Physicians, nurses or aides statements referring to anonymous patients on semi private websites such as MySpace and FaceBook can be grounds for HIPAA based complaints if the patient can recognize themselves on the website. The law here is not clear and will be decided in the courts.
I personally don't understand how it can be a HIPAA violation if only the patient can recognize themselves in the description and not others. That doesn't mean it is proper to discuss patients in a derogative way even anonymously in a public venue. There are plenty of warnings on the net about doctors who do this. An example is Dr Keagirl on her blog. I personally don't discuss private patients here. But I don't know if it rises to the level of a HIPAA or malpractice complaint.

Joel Sherman said...

Allnurses is an endless source of anecdotes. Here's a thread concerning a nurse who looked up her ex's records. He complained to the hospital and she was fired.
Some hospitals even say it's a violation for an employee to look at their own medical records, which I don't understand. Seems to me that your own medical records are under your control and that you have a right to them.

Joel Sherman said...

Here's a story I didn't know. The Department of Defense has all VA and military records gone over supposedly for quality assurance, but the companies that do it can then data mine and sell information.
As usual the government can exempt itself from its own laws just like Congress does.

Joel Sherman said...

Here's a comment from the Institute for Health Freedom concerning Obama's proposed push for a national medical database. I agree fully with the sentiment that first HIPAA needs to be fixed to truly protect patient's privacy. As it stands now, the revised HIPAA act really grants permission to covered entities to share your information with their affiliates, who could be anyone, without your permission. The act was modified to allow free flow of information with little regard for patient privacy. It really needs to be amended so that only the minimum number of entities can get access to information, and keep out big pharma and data miners.

Joel Sherman said...

Here's a story that Congress is in the process of passing a law that would permit states attorney generals to arrange for private citizen suits under HIPAA.
Don't know enough about this to judge. Expanded power to sue under HIPAA would be important to address wrongs. On the other hand, most hospitals and physicians would be unhappy if they could be easily sued for minor stuff, such as leaving out some paper work that can be inadvertently seen by other parties.

Joel Sherman said...

Here's a listing of what's claimed to be all the criminal prosecutions for HIPAA violations to date. There's only 8 of them. I believe they are all concerned with people who tried to sell information.
More needs to be done. But the legal data mining of information for commercial purposes is worse in my opinion.
Hopefully any new laws can differentiate between inadvertent slips versus people who steal and try to sell your information.

MER said...

Relative to this thread, read about what recently happened to Farrah Fawcett as far as the invasion of her personal medical information. Certainly, we are not famous as is she. There's no special interest in us. But if this kind of invasion of personal medical records can happen to her as easily as it did, it can happen to any of us with even more ease.

Joel Sherman said...

Here's a tale of a relatively common violation that occurs in physicians' offices and hospitals, personnel talking loudly to patients or others about their condition so that other patients can overhear what is being said. It's relatively easy to forget and do this, but most offenses happen because personnel just haven't been sensitized to the issue.
Of course regulations to prevent this can be carried to ridiculous extremes. I'm aware of a nursing floor where the patients are only identified by their initials on the wall even in a nurse charting area where no one else should be. Hard to locate patients in such a system and I fear more for a mistaken identity and mix up than anything else.

Joel Sherman said...

Here's the story of a big HIPAA lawsuit filed against Kaiser Permanente of California alleging major privacy breeches.
Of interest, this is a whistle blower's suit which I didn't know was permitted.
If so, there are bound to be more of these.

Debbie Wayne said...

I received a call back in June about a medical bill that I had not paid to Toledo Hospital for services provided. The person that called me could barely speak English, so I asked them if they were outside the US. I was surprised when the representative, John, told me he was calling from Costa Rica. The collector worked for a company called United Collection Bureau and told me they are contracted by ProMedica Health System to collect for Toledo Hospital. I asked John to tell me what procedure the bill was for. I was placed on hold and then was amazed to find that they actually had the information. I am in shock that my medical records are being handled in a 3rd world country. I believe this is a violation of the law, but I'm not certain. I was also told that the collection agency, regardless of where they are, should not have access to the actual procedure.

I went online and found a website for United Collection Bureau. There is a list of offices that does not include Costa Rica. I called and asked if they has an office there and was passed around until someone said no. I called back to John's extension and asked him to confirm. He confirmed that he is in Costa Rica and receives his pay from United Collection Bureau. John knew the president of the company’s name, that the company is based in Ohio, and said that he was willing to cooperate because he understood my anger. I was transferred to an American, I believe in Costa Rica, that basically told me to pay my bill or they would send me to legal. I asked the American woman to give me her name and she hung up. I called John back the next day and he told me he could no longer speak with me; that they had threatened to fire him and he really needs the job.

I'm not out to get a young man working hard in another country fired, so I stopped calling. I did call ProMedica, who claims they had no idea and would investigate. That was back in June. Since then I have received over 20 more calls from people obviously not in America, but unwilling to tell me where they are.

Is this legal?

Joel Sherman said...

Debbie,
You really need a lawyer to fully answer that question.
My surmise is that it is legal as long as the collection agency has agreed to follow HIPAA privacy procedures. HIPAA is clearly not enforceable in other countries, but you could file a complaint against the hospital if you believe that the collection agency has violated your privacy by selling or distributing your information. Collection agencies would have access to the bill which lists diagnoses.
Having said that though, I think you'd be perfectly correct in calling the hospital to complain about them sending your medical information to other countries. That does not imply though that an American company would necessarily be more trustworthy to safeguard your information.

Joel Sherman said...

Here's a summary of an article in JAMA (Journal of the AMA) which reveals that medical students have fallen into the trap of posting protected patient information on social networking sites such as Facebook.
Here's the abstract from JAMA. The full article is not available online.
Apparently most medical schools have not yet made it clear to students that this is a violation of ethics and HIPAA. The article doesn't say how the schools handled the infractions, probably all differently. I'm surprised that the schools have been caught unaware. Surely all hospitals must have policies in place by now.

Joel Sherman said...

This is a new twist. A lawyer in New York has been charged with bribing hospital employees to give him confidential information. He is being prosecuted, but so far no action has been taken against the employees. Most certainly they'll be fired, but there is precedent for substantial HIPAA fines when when for profit violations occur.

Joel Sherman said...

Here's just another example about how national pharmacies can routinely gain access to patient information. It should violate HIPAA regulations, but it is not interpreted that way.

Joel Sherman said...

Here's the report of a very serious leak of information at a Las Vegas hospital. Demographic data including social security numbers have been leaked for months to ambulance chasing attorneys.
Hopefully this violation will set the stage for a rare criminal violation of HIPAA laws.

Joel Sherman said...

Here's a large HIPAA violation in Houston. Sixteen employees were fired for viewing information concerning a hospital physician, a resident who was hospitalized after an accident. It is perhaps unusual in that all were summarily fired including other hospital physicians.

Anonymous said...

Joel -- regarding your last post about these 16 people being fired, note this quote: ""Medical information is so intimate and personal it has to be afforded this level of security," said Shah.

Ironic that it appears the "information" is considered, by some, more sensitive than the "body." This whole notion of privacy, the word itself, has begun to lose its meaning when referring to a person's bodily modesty. It's all about information.

But that quote begs the question --if the information is so intimate and personal, why not the same protection for body access and gender choice. I'm not being exteme here. I still believe that most people under most intimate situations will accept opposite gender care if the communication is good and open and the patient feels he or she is being treated respectfully. But the choice of those others still needs to be accepted.
This all does get back, I believe, to the faulty assumptions some caregivers make about why people feel the way they do about this their modesty. The caregive focus is too often on how they feel about it rather than how the patient feels. The caregiver then assumes if they feel okay the patient should feel okay, too. That may be true for some patients, but not all. It's a complicated issue.
Incidents like this one place the privacy of the paper file, the information, over the actualy, physical patient. At least that's how these HIPAA laws now seem to be interpreted.
MER

Joel Sherman said...

MER, If you review this thread, you'll remember that HIPAA always was about information transfer violations, not personal privacy, especially not bodily privacy or modesty. It was an act primarily meant to regulate the commercial flow of information. Protecting individual patient's right to bodily privacy is peripheral and at best has to be inferred. The act was then amended to afford corporate entities even more freedom.
Modesty violations are more likely to be respected under many states' regulations than federal. Medical personnel are usually taught to respect patients' modesty, but it is rarely a matter of law.

Joel Sherman said...

This is worthy of note. For the first time a medical worker, a fired physician, has been sentenced to jail time for egregious HIPAA violations.
This does mark a turnaround in the seriousness with which these violations are taken. Though I'm somewhat surprised by the jail sentence as the doctor apparently did this out of a sense of revenge, not for commercial motives.

Joel Sherman said...

Here's an article describing a gross violation of patients' privacy rights which was perpetrated by the Ketchikan AK police department. They subpoenaed medical records, but then police officers starting spreading the details about the sexual histories of many women whose histories they now had. Incredibly HIPAA laws do not cover the police; they are not a covered entity. They should be.

Joel Sherman said...

Here's a proposal to strengthen present HIPAA laws. The proposal would let patients restrict access to certain health information and ban the sale of patient data without consent. Both of these proposals are urgently needed in my opinion. Privacy is a sham without these basic protections.

Joel Sherman said...

This may be the first case of a physician receiving jail time for violating HIPAA laws. It concerns a surgeon at UCLA who accessed many patient records including celebrities after he was fired.

Joel Sherman MD said...

Here's a brief article outlining the theft of a computer with hundreds of patient records on it from a Los Angeles rehab center.
Be aware that these thefts happen all the time and are too numerous to reference them all. Sensitive information is never really safe .

Joel Sherman MD said...

It's clear that many nurses don't know that HIPAA prohibits gossiping about patients. They believe that idle coffee room gossip in private is OK. It's not OK; it's just harder to document than electronic violations. This allnurses thread makes it clear that many are still clueless about patient privacy.
Here's another allnurses thread concerning a yound nurse who had no idea she wasn't supposed to idly surf patient records online.

Joel Sherman MD said...

A developing story about the IRS being sued in California for violating the medical records of maybe millions of people. It will be interesting to follow this story as it evolves. Details are sparse so far.

Site Meter