HIPPA violation?

Published

Just wanted to see what the HIPPA vibe around here is on this issue...violation or not?

A friend of mine went into the hospital last week for an emergency injury. He went in late at night, so I called the next morning to see if I could leave him a voicemail, as he was scheduled for surgery that morning. (we'll call him Ben Smith)

The following conversations ensure:

I call the front desk.

They ask for the patient last name.

Me: "Smith"

Them: "Ben?"

Me: "Yes"

They transfer me to his floors nurses' station. The nurse asks if I would like to talk to him.

Me: "Oh, I thought he was in surgery right now"

Her: "Well, he's going to have to be transferred to another hospital before they can do that"

Me: "Oh, uh, ok"

Her: "Can I tell him who's calling?"

I give her my name and get to talk to him.

Something about all that just didn't seem quite HIPPA friendly. What if he had hated me or didn't want me to know he was there? He wasn't even the one who told me about his going into the hospital...it was another friend.

This guy was my friend...so he was happy to hear from me..and didn't care that i knew he was in the hospital... I'm just thinking if the hospital keeps this up, they're gonna get in trouble eventually...

Yes. They are not supposed to tell you that he is there unless you can provide a full name.

Oh, I didn't know that it was ok for them to give out that information even with a full name. I found the information the nurse gave me a bit more shocking than what the front desk said... I would have thought the nurse should have left that up to the patient to explain that he was going to be transferred....

Would it be good or stupid to do something about this?

Specializes in Emergency Dept.

Our hospital policy is that if they can give the name - we can say yes they are here or no they are not. We do not give any information concerning their condition without the patient's approval.

Sorry, I got interrupted when I posted. Yes, it is a violation. They cannot even tell you if the pt is there unless you can provide a first and last name. They can tell you the pt is being transferred but not where or why. That's it.

At my hospital, we can't even acknowledge that the patient is there even with a full name. I know there has been issues with gang members trying to find patients. Not sure if there are exceptions to this when it comes to immediate family members though.

At my hospital, we can't even acknowledge that the patient is there even with a full name. I know there has been issues with gang members trying to find patients. Not sure if there are exceptions to this when it comes to immediate family members though.

That's a hospital policy. The HIPAA law says that with a name the presence can be acknowledged. As for the example you gave about a gang banger, that's why bangers are usually admitted under false names.

oh ya you are right about that.... its hospital policy, not HIPAA!

q. what is directory information and can it be released to the media under hipaa?

a. under hipaa, hospitals may maintain a directory including a patient's name, location in the hospital, general condition and religious affiliation. if a hospital maintains such a directory, patients must be given the opportunity to object to or restrict the use or disclosure of this information. in no event may information concerning a patient's religious affiliation be released, except to the clergy. other directory information may be released only if the media or the public asks for the patient by name and only after the patient has been given the opportunity and consented to the release of directory information.

q. if a patient has opted not to restrict information, what kinds of condition information may be disclosed?

a. if hipaa privacy standards are met, information, such as general condition information (information that does not communicate specific information about the individual) may be released. the american hospital association recommends, and many hospitals are using, the following terms:

undetermined - patient awaiting physician and assessment.

good - vital signs are stable and within normal limits. patient is conscious and comfortable. indicators are excellent.

fair - vital signs are stable and within normal limits. patient is conscious but may be uncomfortable. indicators are favorable.

serious - vital signs may be unstable and not within normal limits. patient is acutely ill. indicators are questionable.

critical - vital signs are unstable and not within normal limits. patient may be unconscious. indicators are unfavorable.

treated and released - patient received treatment but was not admitted.

with written authorization from the patient, a more detailed statement regarding a patient's condition and injuries or illness can be released.

q. what about patients who are unconscious or otherwise unable to give advance consent for release of their information?

a. in situations where the opportunity to object to or restrict the use or disclosure of information cannot be provided because of an individual's incapacity, a covered entity may use or disclose protected health information if the use and disclosure is: (1) consistent with a prior expressed preference of the individual, if any, that is known to the covered entity; and (2) in the individual's best interest as determined by the covered entity, in the exercise of professional judgment. both conditions (1) and (2) must apply for a provider to release patient information under hipaa if the patient is incapacitated.

http://www.rtnda.org/foi/hipaafaq.shtml

myth #7: a patient cannot be listed in a hospital's directory without the patient's consent and the hospital is prohibited from sharing a patient's directory information with the public.

fact: the privacy rule permits hospitals to continue the practice of providing directory information to the public unless the patient has specifically chosen to opt out. the regulation states that a health care provider, such as a hospital, may maintain a directory that includes the patient's name, location in the facility, and condition in general terms, and disclose such

information to people who ask for the patient by name. the patient must be informed in advance of the use and disclosure and have the opportunity to opt out of having his or her information included in the directory. emergency situations are specifically provided for in the regulation, so if the patient is comatose, or otherwise unable to opt out due to an emergency, the hospital is

permitted to disclose directory information if the disclosure is consistent with the patient's past known expressed preference and the provider determines disclosure is in the individual's best interest. the provider must provide the patient with an opportunity to object, “when it becomes practicable to do so.” any more restricted uses of directory information, such as requiring patients to ask to be listed in, or opt into, the directory, are either the hospital's own policy

or confusion about the privacy regulation. 164.510(a), http://www.hhs.gov/ocr/privacysummary.pdf (page 6), http://www.hhs.gov/ocr/hipaa/ (faq section, page 2, question 37).

myth # 9: patients can sue health care providers for not complying with the hipaa privacy regulation.

fact: the hipaa privacy regulation does not give people the right to sue. even if a person is the victim of an egregious violation of the hipaa privacy rule, the law does not give people the right to sue. instead, individuals must file a written complaint with the secretary of health and human services via the office for civil rights. it is then within the secretary's

discretion to investigate the complaint. hhs may impose civil penalties ranging from $100 to $25,000, and criminal sanctions ranging from $50,000 to $250,000, with corresponding prison terms, may be enforced by the department of justice. however, since the law went into effect, hhs has focused on a complaint-driven process that relies on voluntary compliance with the law. so far, not one civil monetary penalty has been issued. 160.306, 160.312 (a)(1), 160.304(b), 42 u.s.c 1320 et seq., http://www.hhs.gov./news/facts/privacy.html.

http://www.healthprivacy.org/info-url_nocat2303/info-url_nocat_show.htm?doc_id=173435

sometimes it is hard to believe there is still so much misinformation and paranoia about hipaa 3 years after it going into effect.

Yes. They are not supposed to tell you that he is there unless you can provide a full name.

I had a medical office blatantly violate HIPAA recently. I was being referred to another doctor's office and the scheduler left a static-y message on my voicemail. In fact, the only way I could call back was the caller ID number. What really got me upset was that she called 3 times in a half hour while I was out, then turned around and left an urgent voicemail for my husband at HIS WORK! Keep in mind that this was only to schedule an appointment.

I call them back, and I gave my name and said that someone had called me from that office. I guessed at names and they said, "Nope, we don't have anyone by that name who works here." I was really puzzled because this woman left frantic messages on voicemail to call this office IMMEDIATELY. I asked if it was in regard to someone whom I have MPOA, they said no. She asks, what was my name again? I gave them my name. She said we have a [name of my FIL!!] as a patient, but we didn't send any calls for him. I was upset with this office, that they had me play guessing games for them for about 10 minutes, only to reveal that my FIL was a patient, and then this office person denies that someone called at all!!

What was funny, I listened to my voicemail 14 times and got the right name, called them back saying "[Office worker] told me to call for an appointment." Up to this point I had no idea what was going on because I wanted an appointment with another doctor. Well, that was the magic name and I got in!! Never mind that they divulged info about my FIL.

Because of the games they played, I decided not to use that office and I did get in to see my doctor of choice.

That is NOT a HIPAA violation. Offices are allowed to call and schedule appts and they are allowed to call family members that may have a legitimate concern or are also reposnsible for payment.

At my hospital, we can't even acknowledge that the patient is there even with a full name. I know there has been issues with gang members trying to find patients. Not sure if there are exceptions to this when it comes to immediate family members though.
We have a "directory". We say do you want to be in the directory? If you say yes, this means if a person calls and asks for Sally Jones, we will tell them you are here and will transfer the call to you if you are awake. I work in OB, so mostly the reason pt. is w/ us is obvious. We do not answer questions like, was it a boy or a girl or did she have a c.section, or even did she deliver yet? Makes some callers mad. Too bad!
+ Join the Discussion