HIPPA Violation?

I don't see how this could be considered a HIPAA violation, since the sister misrepresented herself as the patient. How could you have possibly known that she was lying?

OP--I would think that the patient would have to give written permission for you to give the info to a family member. I'm fairly sure that the permits could be translated for the patient so that she/he would know what they were agreeing to.

Actually I think this is the classic HIPAA violation. Medical information was given out to someone not the patient, and worse someone pretending to be the patient. You should have said that information cannot be given over the phone without positive identification, such as a password chosen by the patient at their first encounter. Birth dates or SS numbers can be obtained fraudulently by many methods.

Thank you for clearing this up!

How do you handle cases where patient does not speak english but family member does and family member would like to know results of labs/scans etc?

I agree with kakamegamama that you'll need something in writing from the patient giving her sister permission to receive her medical information. Now that you know that the person you spoke to is not the patient, it would be a violation of HIPAA to give her further information without the sister's written permission.

I just wanted to add that, although it's my *opinion* that you shouldn't be held liable for any kind of HIPAA violation in your first conversation with the sister, because she misrepresented herself and you believed her to be the patient, I'm not a lawyer, so you should take my *opinion* with a grain of salt. I'm actually not quite sure what, if any, legal obligation you might have to confirm that the person you're speaking to is in fact the patient. I know that hospitals and doctors offices do give information out over the phone all the time to people who say they are the patient -- I used to give information out to people saying they were the parents of my patients when I worked in a peds hospital, without asking for any kind of "proof" (not sure what that would be anyway -- SSN? Medical record number?) that they were who they said they were, but it might be that technically you are supposed to ask for that type of confirmation.

In this particular case it may not matter -- sounds like sister may have had patient's permission verbally if she was just helping out with the language barrier -- but for future reference it might be best to consult a HIPAA expert about this issue.

Actually I think this is the classic HIPAA violation. Medical information was given out to someone not the patient, and worse someone pretending to be the patient. You should have said that information cannot be given over the phone without positive identification, such as a password chosen by the patient at their first encounter. Birth dates or SS numbers can be obtained fraudulently by many methods.

I'm curious -- does the facility where you work have this policy in place, or does this come up very often where you work?

I know that when I worked in peds I very often got calls from the "parents" -- sometimes I had already met them and might recognize their voice, but most of the time I just took their word for it that they were the parents. I wasn't the only one who did this -- this was pretty much the norm at this particular peds hospital. We did have a few sensitive cases where we knew that other family members, or even the media, were trying to get info on the patient -- in those cases we had a code word that they would have to give us to get info, but otherwise I think we pretty much just took the callers word for it that they were the parent. I'm not aware of any occasions when someone who wasn't actually the parent got info on a patient this way, but I can certainly see how that could happen.

Anytime a call comes into my facility and asks for results I simply state "Nurses cannot give results only the medical Doctor". Anytime you give results you may be interpreting which is out of our scope. I know you meant well and this has happened to allot of us.

In the future, I would absolutely get the caller's name and number and then have the DOCTOR call them back. What if it wasn't actually the patient's sister? And LAB results were given? Definitely walking a fine line there.

Patients are told at the time of the visit that lab results will either be mailed to them, or that someone from the office will call THEM. It is never appropriate to give lab results over the phone when someone calls, for specifically this reason.

I'm curious -- does the facility where you work have this policy in place, or does this come up very often where you work?

I know that when I worked in peds I very often got calls from the "parents" -- sometimes I had already met them and might recognize their voice, but most of the time I just took their word for it that they were the parents. I wasn't the only one who did this -- this was pretty much the norm at this particular peds hospital. We did have a few sensitive cases where we knew that other family members, or even the media, were trying to get info on the patient -- in those cases we had a code word that they would have to give us to get info, but otherwise I think we pretty much just took the callers word for it that they were the parent. I'm not aware of any occasions when someone who wasn't actually the parent got info on a patient this way, but I can certainly see how that could happen.

I work at a hospital. We use the last four digits of their hospital record number as a password. This is given to family at admission and we don't give ANY information over the phone without it. If that got overlooked I will ask the family member their name, then call them back using their contact phone number in the chart. If that isn't possible, then they must either come in, or get the password from someone who knows it.

We assume anyone calling has a reasonable right to know, but what if an abusive spouse or stalker is seeking information? Or an employer who has ulterior motives? This issue seems mundane but has a huge potential for liability.

I'm curious -- does the facility where you work have this policy in place, or does this come up very often where you work?

I know that when I worked in peds I very often got calls from the "parents" -- sometimes I had already met them and might recognize their voice, but most of the time I just took their word for it that they were the parents. I wasn't the only one who did this -- this was pretty much the norm at this particular peds hospital. We did have a few sensitive cases where we knew that other family members, or even the media, were trying to get info on the patient -- in those cases we had a code word that they would have to give us to get info, but otherwise I think we pretty much just took the callers word for it that they were the parent. I'm not aware of any occasions when someone who wasn't actually the parent got info on a patient this way, but I can certainly see how that could happen.

I work at a hospital. We use the last four digits of their hospital record number as a password. This is given to family at admission and we don't give ANY information over the phone without it. If that got overlooked I will ask the family member their name, then call them back using their contact phone number in the chart. If that isn't possible, then they must either come in, or get the password from someone who knows it.

We assume anyone calling has a reasonable right to know, but what if an abusive spouse or stalker is seeking information? Or an employer who has ulterior motives? Or the press? This issue seems mundane but has a huge potential for liability.

Working in private practice - patient's sister calls describing herself to be patient....new patient that has never been seen before. Sister requests path report results, thinking this is the patient, information was provided. At end of conversation, patient's sister tells you 'I am actually her sister and I was just trying to clear up some information for her. Since there is a problem with transportation we will have to reschedule.' You ask when she would like to reschedule patient's sister tells you she has to look at her calendar and find a day and time she can bring her to clinic.

Is this a HIPPA violation?

I think this is a violation (by the way, it is HIPAA, not HIPPA). There should either be no results given over the phone (I mean, really, anyone could call asking for info. and saying they are the patient) or there should be some way to verify that the patient or officially designated person is calling. Just "assuming" the caller is telling the truth could get you in big trouble, as "assuming" anything often does.