Is this a HIPAA Violation - Invasion of Patient's Privacy?

Published

Would like to know two things: Is this a HIPAA Violation and Can this be removed from an EMR/Patient Portal?

Patient and Doctor had a personal email/conversation over the weekend. More to the story, but Doctor was venting to the patient how frustrated he was with the patient's pharmacy. Patient replied how they agreed it was frustrating and the patient has been frustrated with the pharmacy for several other problems with prescriptions. That's it. The email was as simple as a personal conversation between doctor and patient. On Monday, the patient's email ended up in their portal from the assistant at the doctor's office. Patient has already instructed the office and it's noted in their chart for no one to contact the patient except the doctor and not to contact them through the portal or another secured messaging site. The assistant obviously did not read the note or remembered that the patient did not want to receive anything through the patient portal. The patient contacted the assistant and asked why they received the personal email/conversation between the doctor and patient? Then asked "how did you get ahold of it"? The assistant replied "I don't know". The patient asked again "this was a personal conversation/email between the doctor and patient, how did you get it"? "Do you have his password to his home computer to read his messages when he is away"? The assistant replied "I don't know". Patient said "then how did you get ahold of it"? Assistant replied "It comes through the secured messaging site". Patient replied "that they don't use the secured messaging when they found out it wasn't so secured when their personal message to the doctor was being read by assistants and answered by assistants". The assistant then replied "the doctor sent it to the receptionist, who sent it to one assistant who sent it to the other assistant". The patient replied "so everyone in the office just read the personal email/conversation between the doctor and patient"? "That still doesn't answer why the patient received it through their portal when noted in their chart not to send anything to the patient through the portal or make contact with patient". The assistant replied "it was sent to help with the issues". Patient asked "what issues - there are no issues - the issue has passed'. The assistant said "issue with Joe's prescription". The patient said "the prescription for Joe was from over a month ago, issue was resolved over a month ago". Obviously, they didnt' read the email/conversation or they would have realized it. Anyway, it was a personal email/conversation. Patient wants it removed from the portal and their Electronic Medical Record. The patient contacted the support of the software provider and was given instructions on how the office can remove/delete the personal email/conversation". The office states that the message was sent as a phone message so it can't be deleted. It was not a web encounter. Patient finds that hard to believe. What happens if the doctor's office accidentally sent a personal email/conversation or results to the wrong patient. Are they able to retrieve it? Patient wants it removed. Email should not have been sent in the first place. The Doctor was leaving town and was sending all the emails he received to the receptionist to take care of. That particular patient's email/conversation was sent also, but no action was needed. It was a conversation. Is this a HIPAA violation with it being a personal email/conversation to the MD on his personal computer? Can it be removed from a patient's portal/EMR if it was sent as a phone message? Software support told the patient they can delete it from the message area of the portal. But the patient would like to know if they delete it, will it still show in the backgroun on the EMR?

What you describe is precisely why I want nothing to do with systems that have patient/doctor communication via email in place. It's bad enough to keep in-person and phone conversations in place than to have to worry about how much of the world has access to information immortalized on computer networks.

Specializes in Complex pedi to LTC/SA & now a manager.

Likely not a violation of HIPAA. Irrelevant to the medical record perhaps and not necessary for continuity of care. Need to contact office manager for policy for patient record correction. Or review the patient copy of the HIPAA policy for the procedure for record correction, it must be in writing.

Specializes in Short Term/Skilled.

A conversation over email would only be a HIPAA violation if personal health information was included in that email and said email was sent to someone who didn't have authorization to access it.

The fact that the patient didn't want to be communicated with in that way means nothing. I don't want to be called on my cell phone, but if my Dr.s office calls me on my cell phone, I can't do anything about it unless they leave a message with my medical info on it.

Unless something relevant was discussed, the email itself wouldn't be included in the EMR.

But it was a personal conversation/email. Basically the MD was frustrated with the pharmacy and patient was agreeing with the frustration, as they are just as frustrated. Also, if there was nothing relevant, why was the email sent to the patient/portal and was seen by others. Patients can request how they want to be contacted and by who. If the patient did not want to be contacted through the portal, they should not have sent a message that route, especially if it's noted in the patient's chart NOT to contact via portal. NOT to call patient. ONLY MD to contact patient.

Specializes in Complex pedi to LTC/SA & now a manager.
But it was a personal conversation/email. Basically the MD was frustrated with the pharmacy and patient was agreeing with the frustration, as they are just as frustrated. Also, if there was nothing relevant, why was the email sent to the patient/portal and was seen by others. Patients can request how they want to be contacted and by who. If the patient did not want to be contacted through the portal, they should not have sent a message that route, especially if it's noted in the patient's chart NOT to contact via portal. NOT to call patient. ONLY MD to contact patient.

Still not a HIPAA violation more of a clerical error. You need to follow office policy to have the email removed from the portal.

Specializes in Critical Care.

These "portals" are typically required to be HIPAA compliant, and to ensure all communications are HIPAA compliant, Physicians offices typically route all communication through them. This ensures they are secure and meet auditing requirements. So it's not unusual for any patient to MD communication to be routed through the portal, even if it was sent to the physicians personal phone or e-mail.

While I'm sure many patients would prefer to solely interact with their physician, that's not how a typical office practice works and that's not what they are paying for. Delegating various tasks to MA's, nurses, and other non-physician staff is the service you are paying for. There are options where you can deal only with the physician, such as concierge doctors, but these are rightfully much more expensive that going to an office practice.

Specializes in Short Term/Skilled.

Yep. Patients can request, demand, or ask nicely for anything they want. Doesn't mean that the message will get relayed to everyone and it doesn't mean that those requests can or will always be accommodated. (When it comes to things as trivial as how someone wants to be contacted, or by whom).

It may be irritating, but so is life sometimes. :-/ There are always other doctors offices to choose from.

Specializes in ER.

If the patient actually did have a more personal relationship with the doc they would be communicating via text, over coffee, or through a Facebook message like friends do. For instance, my ARNP is also my FB friend and we occasionally interact on that level, although she's very careful not to mix business and pleasure.

So, the patient is misconstruing the relationship. The doctor should probably keep person opinions out of official communications to avoid blurring professional boundaries.

Some patients don't understand that doctors are part of a system that has no wiggle room for time, and are part of a team effort. If they want the personal attention they crave, they need to pay for a concierge physician.

Specializes in hospice.
The patient contacted the assistant and asked why they received the personal email/conversation between the doctor and patient? Then asked "how did you get ahold of it"? The assistant replied "I don't know". The patient asked again "this was a personal conversation/email between the doctor and patient, how did you get it"? "Do you have his password to his home computer to read his messages when he is away"? The assistant replied "I don't know".

If I were the patient, I would have demanded someone else on the phone at this point. If I ask two relevant questions in a row and get back "I don't know" both times, I'm done with you. Never mind later in the conversation it becomes clear that this assistant DID know exactly how the emails got to them.

I think this practice needs to retrain people in basic phone communication. I've pretty much banned "I don't know" from my kids' vocabularies, because it's not a real answer. It's usually an excuse not to think.

Specializes in Short Term/Skilled.
If I were the patient, I would have demanded someone else on the phone at this point. If I ask two relevant questions in a row and get back "I don't know" both times, I'm done with you. Never mind later in the conversation it becomes clear that this assistant DID know exactly how the emails got to them.

I think this practice needs to retrain people in basic phone communication. I've pretty much banned "I don't know" from my kids' vocabularies, because it's not a real answer. It's usually an excuse not to think.

Sorry, but I see this totally differently. From what I gather, the patient is nit-picking and doesn't understand how the portal system works while the assistant is totally unsure how to reply to such a non-issue of a question.

Granted, she should have just said "Just a moment while I find out", but for me the point is that the patient is being unreasonable. If email what such a problem, why even respond?

Pt. is angry because someone saw their non-sensitive email correspondence and reached out tot he patient mistakenly under the impression that the patient still needed assistance. Instead of being glad that the staff was looking out for the needs of the patient, the patient is mad that someone saw the email and that they were then contacted via an email that they partook in.

The MA shouldn't have replied with "I don't know", but I'm honestly not too surprised if the conversation wen't the way I imagine it did.....

This is a concierge doctor's practice. Patient only wants to deal with their concierge doctor and no one else in the practice in regards to their medical care. For the price a patient pays to be part of the concierge practice, patients are paying for the doctor services, not their inept assistants.

+ Join the Discussion