I am at dinner with my husband tonight and he tells me that he got a call today on his cell he uses for work from someone who claimed to work at the office of a doctor he saw one time over a year ago saying that said MD told him my husband had come to the office for back pain and asking if he had time to talk about his pain killer usage... (background... DH has 2 herniated disks and nerve damage for about 5 years now and a lot of pain and is under treatment from a different doc and gets injections into the bones every other month. This particular MD is a family practice doc and when we moved here last year, hubby chose her for primary and he saw her ONCE for a physical when he was told she couldn't manage him and he would have to see someone else... He changed his primary asap and the new MD sent him to ortho and pain management which is specialists who were treating him in NY). So back to today, my husband told the man on the phone he could not talk because he was at work and was given a phone # to call back when he could. He called the man back a few hours later and it went to voicemail saying this is "John at such and such clinical research facility" leave a message. DH didn't and told me later about call.
Well my DH works in advertising sales locally and it just so happens that "such and such research facility" is one of his clients. So not only did this doc give out his name, cell, and medical history to this research company, they gave it to one of his clients at work... The phone # that he called btw is in no way associated with the docs office and instead links to research company. I googled this company and they have multiple studies on back pain happening right now so I am assuming they were soliciting participants.
Am I completely wrong about this being a HUGE hipaa violation cause I feel like this is pretty bad news... And what the H-E double hockey sticks do we do now? These people are his clients and don't need to know his medical history! It's a fairly small company, 5 PIs, clinical staff of 20... How many other people I wonder are getting the same calls and don't know that their info has been exposed??? Lucky for us my DH told me and I told him not to accept any more calls from this man saying he works for the doc but this is completely wrong and a hipaa violation, is it not?
if you believe that a covered entity violated your (or someone else's) health information privacy rights or committed another violation of the privacy or security rule, you may file a complaint with ocr. ocr can investigate complaints against covered entities. covered entities- a covered entity is a health plan, health care clearinghouse, and any health care provider that conducts certain health care transactions electronically. for more information, please review our understanding health information privacy section or look at our responses to frequently asked questions (faqs) on our web site.
complaintrequirements- your complaint must:
be filed in writing, either on paper or electronically, by mail, fax, or e-mail;
name the covered entity involved and describe the acts or omissions you believe violated the requirements of the privacy or security rule; and
be filed within 180 days of when you knew that the act or omission complained of occurred. ocr may extend the 180-day period if you can show "good cause."
anyone can file! - anyone can file a complaint alleging a violation of the privacy or security rule. we recommend that you use the ocr health information privacy complaint form package. you can also request a copy of this form from an ocr regional office. if you need help filing a complaint or have a question about the complaint or consent forms, please e-mail ocr at [email protected].
hipaa prohibitsretaliation- under hipaa an entity cannot retaliate against you for filing a complaint. you should notify ocr immediately in the event of any retaliatory action.
how to submit your complaint - to submit a complaint, please use one of the following methods.
if you mail or fax the complaint, be sure to send it to the appropriate ocr regional office based on where the alleged violation took place. ocr has ten regional offices, and each regional office covers specific states. send your complaint to the attention of the ocr regional manager. you do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.
print and mail or fax the completed complaint and consent forms to the appropriate ocr regional office; or
e-mail the completed complaint and consent forms to [email protected].(please note that communication by unencrypted e-mail presents a risk that personally identifiable information contained in such an e-mail, may be intercepted by unauthorized third parties.)
if you prefer, you may submit a written complaint in your own format. be sure to include the following information:
your name
full address
telephone numbers
e-mail address (if available)
name, full address and telephone number of the person, agency or organization you believe violated your (or someone else's) health information privacy rights or committed another violation of the privacy or security rule
brief description of what happened. how, why, and when do you believe your (or someone else's) health information privacy rights were violated, or how the privacy or security rule otherwise was violated
any other relevant information
your signature and date of complaint
if you are filing a complaint on someone's behalf, also provide the name of the person on whose behalf you are filing.
the following information is optional:
do you need special accommodations for us to communicate with you about this complaint?
who else can we call if we cannot reach you?
have you filed your complaint somewhere else? if so, where?
Specializes in Critical Care, ED, Cath lab, CTPAC,Trauma.
well, thank goodness we straightened that out...........!
thank you viva and nrskaren for you ever guiding hands and knowledge as well as that 12 inch ruler you carry to keep us in line..... (no really love you guys:redpinkhe)
and to think some people think we eat our young.....how ridiculous! :anbd: ()
p.s. ladyinscrubs and grn tea. i stand corrected...........:bowingpur. "to contact the government agency to report a hipaa violation go to.......http://www.hhs.gov/ocr/privacy/.......... or your corporate compliance officer........".
Specializes in Critical Care, ED, Cath lab, CTPAC,Trauma.
Hey! I know how to stay on topic and address the situation--it's very serious problem, that well would you look at that...butterflies....
Originally Posted by ®Nurse
Good Lord Almighty. Puhleeaze stop berating the OP and look through the trees at the forest. The question has to deal with a probably/possible violation of the privacy act. It is so extremely disheartening to have people go off on a tangent for something so trivial when compared to something that is frightening/maddening/frustrating/ or what have you that is supposed to be the topic at hand.
If I were in your shoes, I would go the office that the suspected privacy breach originated from and ask to see what they include in the fine print surrounding the privacy laws. I would inquire how long they've been using that particular form and go from there. You may decide to ask out right if disclosing information to ABC Company is in violation of the privacy act, or you may decide not to. Either way, it's a beginning that may shed some more light on what is going on.
Good luck.
Amen.......!!!! and Greenfire.......you're right :cheers: HIPAA has taken on a life of it's own....
Before this thread is locked, I'd like to chime in:
This is one of the most ridiculous arguments I've ever seen here. And pretty confusing as well. I still can't figure out why the OP is apologizing (there seem to be some deleted posts?). Hipaa is very often corrected as hippa on auto corrects on phones and computers (if that's all this about).
Absolutely! You know what it reminds me of? Hermione's line in Harry Potter Sorceror's Stone: "It's leviOsa, not levioSA!" Lol. OP, I'm sorry this incident occurred. I tend to agree with Whispera, probably due to a tiny, fine-print clause on your privacy form.
The site is a PITA to navigate, but I would start with CID. Basically, call and state what you've said here- you are unaware of giving permission to have PHI released for research purposes. If this doc has a database "for research" it should have been cleared with an IRB to define the nature of PHI collected, and approved uses, and to whom it could be released. You will requesting a "for cause audit" of Research Company X for suspected HIPPA violations.
In turn, if Research Company X is not a business affiliate of Dr. Y (i.e., they are part of the practice group), and if the release was not clearly defined, they are in violation. Kinda-sorta doesn't cut it- that's why the process is called "Informed" consent.
Email me, if you like.
EDIT: OCR is the catch-all, but this is probably better addressed through the research end, since that is where the money is going. OCR will determine if they should be fined (if there is fine print in the Privacy Policy, they probably won't be), FDA will be more likely to make them change their practices.
(no really love you guys:redpinkhe)
NRSKarenRN, BSN, RN
10 Articles; 19,177 Posts
how to file a complaint