HIPPA and finding someone who cares

Nurses General Nursing

Published

I'm going into nursing school and from what I've read so far this HIPPA privacy bit is like serious business. Yet where I worked previously, I couldn't find anyone to take it seriously. While going through nursing school, I'm working for a diesel engine rebuilding company, and on a weekly basis we receive medical faxes. It seems the local lincare's fax machine is one digit off from ours. xxx-2855 vs xxx-2885. We get their faxes constantly. These faxes included, drug scripts, patient registration forms, patient SSNs, patient medical ID#, itenerarys (ie. Patient is leaving this address in cleveland and is flying into town on x date for 2 weeks, need x and y installed), test results, etc.

So I've called the lincares that fax stuff to us and the local branch that was the intended recipient. The ones that faxed stuff to us told me I was lying and couldn't have made a mistake. Another said they were "deeply concerned" and that it wouldn't happen again. It happened again the next morning. So I called the local lincare after I googled where they were and their number. The manager was "seriously concerned and will look into it". I faxed him copies of everything and he was going to call me back when he fixes the problem. 30 minutes later he calls back "Oh it was just a simple isolated case of human error, nothing to get worked up about, but if it happens again, just refax those onto me, and if you could throw those copies away" :uhoh3: Needless "simple human error" happens about once every week or two. The manager didn't even want to drive 5 minutes down the road to get the faxed records. Just trusted us to dispose of them. So I've been saving them. I've got a stack of faxes about 3/4" high from the past three months.

So I looked up some number for florida's health department to call them, there's no "Hippa reporting hotline" that I can find. I got transfered from like desk to desk about 5 times. Got some state employee who assured me it was just "Human error and they couldn't do anything if the fax originated from out of state" and that "I needed to call that states department".

I'm just half tempted to show up at these patients houses and hand them their medical records and tell them what happened. I'd imagine if someone showed up at your front door with your name, address, DOB, SSN, etc I'd be pretty ******.

So what is the proper way to get someone to give a crap about this???? Obviously neither side is "deeply concerned" or the problem would be fixed. I would imagine the patients would be deeply concerned. I also don't want to jeopardize anything with my schooling. Like get in the news and be known at a rat/troublemaker or something. Is there any HIPPA hotline to call where people give a crap or is this just the norm?

I assure you I'm not looking to make a mountain out of a molehill or trying and get some kind of publicity with it. Both sides have assured me it's a once in a while "Human error". I've spoke to managers at lincare, faxed over copies, etc. I should add that we've been disposing these faxes for over a year and it's just rather annoying. Our fax machine is quite an antique and we rarely receive faxes so they use up our paper and ink so getting a simple fax from a customer requires a trip to office max for another cartridge. The only reason I was saving them was both sides blow it off as a once in a while thing. 3 months with one every week or two is not a once in a while thing unless we've really lowered expectations. Maybe I didn't make it clear enough. I've faxed them copies of their wrong faxes, I've called 3 different branches, I've been assured that "they are deeply concerned and the problem has been fixed" twice, I called the state that is supposed to be regulating this, they assured me it was no problem and to just destroy the stuff.

Seems simple but their problem is they're faxing sensitive stuff to the wrong number. Their solution is have legal put a disclaimer at the bottom that says it must be destroyed. Poof. Problem solved. Straight out of the Dunder Mifflin playbook of excellent corporate management. I know it may sound like serious out of the box thinking but what's wrong with fixing the fax number? Whatever happened to taking responsibility combining that with initiative and handling the problem? God forbid we have to push some buttons and reprogram some fax machines. Definitely moving mountains there.

I'll file one report with the link provided (thanks) and if that doesn't pan out; I'll throw the stuff away, or sell it on craigslist :devil:.

Up Vote Up Vote ×
Specializes in Health Information Management.

As described by the OP, this is a longstanding chain of errors with little or no attempt to fix the problem, not an occasional issue. It could well result in civil fines for the company (up to $50K per incident). Usually criminal charges are only brought in extreme cases, such as those with malicious intent, so I doubt there would be any criminal charges in this type of case.

Health care organizations and the individuals who work for them have to adhere to both state and federal confidentiality/privacy regulations. If the state law is more strict, the company must abide by its regulations in addition to HIPAA. Check out your state's department of health website for more information or contact the state attorney general's office for directions on how to report and pursue the persistent errors of this company. You aren't making a mountain out of a molehill - this is a significant problem that could easily be exploited by someone less scrupulous than you.

The recommendation of HIMSS, a major health information management trade and policy group, is that you mail back the items (there are links below to the HIMSS policy as well as a report by AHIMA on California's strict medical record privacy and breach reporting laws). Personally, unless directed otherwise by a federal official from the Department of Health and Human Services, I would find the address for the company's health information management or risk management department and start mailing them back there, with a letter explaining the situation and the steps you have taken so far in an attempt to rectify the situation. Those records are still someone's protected health data. In some states (like California), the patient is entitled to notification in each instance of a medical data breach.

http://www.himss.org/content/files/CPRIToolkit/version6/v6%20pdf/D80_Communication_Tools.pdf

http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_046934.hcsp?dDocName=bok1_046934

Up Vote Up Vote ×
Specializes in OB/GYN, Peds, School Nurse, DD.

I guess it depends on how many "honest mistakes" have been made. Three? Thirty? MORE? I would be furious if my medical and other identifying info was being sent to some random business.

Hmmm, this is the kind of stuff that the media LOVES to get their hands on...Just sayin'

Up Vote Up Vote ×
Specializes in NICU, Post-partum.
I assure you I'm not looking to make a mountain out of a molehill or trying and get some kind of publicity with it. Both sides have assured me it's a once in a while "Human error". I've spoke to managers at lincare, faxed over copies, etc. I should add that we've been disposing these faxes for over a year and it's just rather annoying. Our fax machine is quite an antique and we rarely receive faxes so they use up our paper and ink so getting a simple fax from a customer requires a trip to office max for another cartridge. The only reason I was saving them was both sides blow it off as a once in a while thing. 3 months with one every week or two is not a once in a while thing unless we've really lowered expectations. Maybe I didn't make it clear enough. I've faxed them copies of their wrong faxes, I've called 3 different branches, I've been assured that "they are deeply concerned and the problem has been fixed" twice, I called the state that is supposed to be regulating this, they assured me it was no problem and to just destroy the stuff.

Seems simple but their problem is they're faxing sensitive stuff to the wrong number. Their solution is have legal put a disclaimer at the bottom that says it must be destroyed. Poof. Problem solved. Straight out of the Dunder Mifflin playbook of excellent corporate management. I know it may sound like serious out of the box thinking but what's wrong with fixing the fax number? Whatever happened to taking responsibility combining that with initiative and handling the problem? God forbid we have to push some buttons and reprogram some fax machines. Definitely moving mountains there.

I'll file one report with the link provided (thanks) and if that doesn't pan out; I'll throw the stuff away, or sell it on craigslist :devil:.

I think you are just trying to get some kind of attention or crap stirred up.

Just like the other posters said, you are not associated with the gov't agency so therefore, you have no right to keep any of the documents and stockpiling them.

I think you are bothered more by the fact it is using up your company ink and paper more than anything else.

By the way, if I was in nursing school, this would be the last battle I would personally tackle myself, especially if I did not own the company...b/c very little is confidential and most anything can be found by an attorney and if it ends up in court you could be called as a witness...and you can kiss your future employment with that hospital system goodbye.

Just shred the freaking documents and call them and let them know.

Up Vote Up Vote ×
Specializes in Med Surg.

One thing I haven't seen mentioned. Don't the people whose information was negligently - notice I didn't say accidently- sent to someone who had no right to it have the right to know about this? Credit providers are required by law to notify customers when their info has been compromised. What about medical providers? How does anyone know how many faxes were negligently sent to other wrong numbers?

Up Vote Up Vote ×
Specializes in NICU, Post-partum.
One thing I haven't seen mentioned. Don't the people whose information was negligently - notice I didn't say accidently- sent to someone who had no right to it have the right to know about this? Credit providers are required by law to notify customers when their info has been compromised. What about medical providers? How does anyone know how many faxes were negligently sent to other wrong numbers?

When creditors have to inform their customers about a breach in confidentiality....it does not apply to a case like described by the OP.

That has to do with stolen information or a computer system that has been hacked and it is also layered by the fact that you do not know how far-reaching the compromise has taken place...thus, why they are informed.

Up Vote Up Vote ×
Specializes in Health Information Management.
One thing I haven't seen mentioned. Don't the people whose information was negligently - notice I didn't say accidently- sent to someone who had no right to it have the right to know about this? Credit providers are required by law to notify customers when their info has been compromised. What about medical providers? How does anyone know how many faxes were negligently sent to other wrong numbers?

Here's an article from the Journal of AHIMA that might help to clarify things a bit with regard to HIPAA and ARRA:

http://journal.ahima.org/2010/02/01/breach-notification-scenarios/

The next article has some interesting information on state breach notification laws. Please note that it is from 2005, and so does not include information on the additional federal notification requirements added under ARRA and put into effect earlier this year:

http://www.aishealth.com/Compliance/Hipaa/RPP_Breach_Notification_Laws_Catching.html

I'm starting to feel like some of my classes will come in useful in the real world. ;) This is the kind of stuff we cover.

Up Vote Up Vote ×
+ Add a Comment