Is this a HIPAA Violation - Invasion of Patient's Privacy?

Nurses HIPAA

Published

Would like to know two things: Is this a HIPAA Violation and Can this be removed from an EMR/Patient Portal?

Patient and Doctor had a personal email/conversation over the weekend. More to the story, but Doctor was venting to the patient how frustrated he was with the patient's pharmacy. Patient replied how they agreed it was frustrating and the patient has been frustrated with the pharmacy for several other problems with prescriptions. That's it. The email was as simple as a personal conversation between doctor and patient. On Monday, the patient's email ended up in their portal from the assistant at the doctor's office. Patient has already instructed the office and it's noted in their chart for no one to contact the patient except the doctor and not to contact them through the portal or another secured messaging site. The assistant obviously did not read the note or remembered that the patient did not want to receive anything through the patient portal. The patient contacted the assistant and asked why they received the personal email/conversation between the doctor and patient? Then asked "how did you get ahold of it"? The assistant replied "I don't know". The patient asked again "this was a personal conversation/email between the doctor and patient, how did you get it"? "Do you have his password to his home computer to read his messages when he is away"? The assistant replied "I don't know". Patient said "then how did you get ahold of it"? Assistant replied "It comes through the secured messaging site". Patient replied "that they don't use the secured messaging when they found out it wasn't so secured when their personal message to the doctor was being read by assistants and answered by assistants". The assistant then replied "the doctor sent it to the receptionist, who sent it to one assistant who sent it to the other assistant". The patient replied "so everyone in the office just read the personal email/conversation between the doctor and patient"? "That still doesn't answer why the patient received it through their portal when noted in their chart not to send anything to the patient through the portal or make contact with patient". The assistant replied "it was sent to help with the issues". Patient asked "what issues - there are no issues - the issue has passed'. The assistant said "issue with Joe's prescription". The patient said "the prescription for Joe was from over a month ago, issue was resolved over a month ago". Obviously, they didnt' read the email/conversation or they would have realized it. Anyway, it was a personal email/conversation. Patient wants it removed from the portal and their Electronic Medical Record. The patient contacted the support of the software provider and was given instructions on how the office can remove/delete the personal email/conversation". The office states that the message was sent as a phone message so it can't be deleted. It was not a web encounter. Patient finds that hard to believe. What happens if the doctor's office accidentally sent a personal email/conversation or results to the wrong patient. Are they able to retrieve it? Patient wants it removed. Email should not have been sent in the first place. The Doctor was leaving town and was sending all the emails he received to the receptionist to take care of. That particular patient's email/conversation was sent also, but no action was needed. It was a conversation. Is this a HIPAA violation with it being a personal email/conversation to the MD on his personal computer? Can it be removed from a patient's portal/EMR if it was sent as a phone message? Software support told the patient they can delete it from the message area of the portal. But the patient would like to know if they delete it, will it still show in the backgroun on the EMR?

Understandable and this situation was with a concierge physician. Patient is paying for the personal attention 24/7

Up Vote Up Vote ×

Great reply! Thank you. Loved your answer. The lpn/medical assistant just didn't want to think. Doesn't think. Unfortunately, the office doesn't know how to hire the right people for their office. They take the first person who applies. No verification with references, no background checks. With a concierge practice, it's very important to have the right person working who represents the physician and practice.

Up Vote Up Vote ×

Replying to the CNA who sees the issue as the patient nit-picking. Portals are for medical information that pertains to that patient that could help with future treatments. Not for conversations between patient and doctor where the doctor started the email and patient responded. If the patient information was ever transferred to another facility or specialist, that conversation would not be beneficial to the care of the patient. In regards to the staff looking into the situation to see if they can help. They work over time doing non value added tasks. This was one of them that probably caused the office overtime hours. This MA is incompetent to the office.

Up Vote Up Vote ×
Specializes in OB-Gyn/Primary Care/Ambulatory Leadership.

Please use quotes. We have no idea what post you're replying to.

What they did is not a violation of privacy laws. There is nothing that we can really answer or help you with here. Sounds like an issue with your physician and his practice. You need to take it up with him.

Up Vote Up Vote ×
Specializes in Emergency, Telemetry, Transplant.
They work over time doing non value added tasks. This was one of them that probably caused the office overtime hours.

How do you know if they are working OT or not? If you feel that the doctor charges you too much, go somewhere else….otherwise, don't concern yourself with how the ancillary staff spends their time.

Perhaps the doctor forwarded the email to a member of the staff and said "Both Mr. Smith and Mrs. Johnson had issues with the SuperMart Pharmacy. Could you please look into this?" Medical staff of the office is going to see some of your health information in the course of providing care to you. In addition, it does not sound like the information contained in this email was PHI. It was not like he asked an assistant, "Could you please find the results of Mr. XYZ's HIV test?"

Up Vote Up Vote ×
Specializes in NICU, Trauma, Oncology.

Fwiw at the clinic I either with all communication between dr/pt whether it be personal email, a Xmas card or a thank you card was input into the patient record as a "just in case" for future litigation or other issue.

Up Vote Up Vote ×
Specializes in Vents, Telemetry, Home Care, Home infusion.

As HIPAA Privacy officer in a home health agency, this does not appear to be a HIPAA violation. However, HIPAA has provisions that patient can make requests for medical record to be edited; despiet patient request, it is up to the practice to determine if they will remove information from chart and notify you of outcome request.

-

Drag out your practices HIPAA privacy notice -that most offices require signed acknowledgement you reviewed and received - and submit request for removal. Privacy notice usually posted most facility/practices websites too.

Hope you can get your concerns heard + chart entry reviewed.

Up Vote Up Vote ×
How do you know if they are working OT or not? If you feel that the doctor charges you too much, go somewhere else….otherwise, don't concern yourself with how the ancillary staff spends their time.

Perhaps the doctor forwarded the email to a member of the staff and said "Both Mr. Smith and Mrs. Johnson had issues with the SuperMart Pharmacy. Could you please look into this?" Medical staff of the office is going to see some of your health information in the course of providing care to you. In addition, it does not sound like the information contained in this email was PHI. It was not like he asked an assistant, "Could you please find the results of Mr. XYZ's HIV test?"

I know they are working OT because the doctor complains to me about them working overtime. There were no instructions on the email that was forwarded for the medical assistant to do anything. I honestly believe it was an accident with him trying to get things done before going on vacation. I asked multiple times, how she received the email, who sent the email, why, etc. Her answer was "I don't know". It's my choice to pay the concierge retainer fee, but I already told him I'm not paying the extra for him to hire another person who is not needed. I would pay extra if acturally hired a RN who could run the office on her own.

Up Vote Up Vote ×
+ Add a Comment