Archive for January, 2011
Q. An insurance company is requesting copies of medical records so it can review our CPT® coding. These cases are at least one year old and have been paid already. The insurance company said its review will not affect our payment. Do we need patient authorization to release these records since this does not involve treatment, payment, or office operations?
A. Covered entities (CE) are permitted to use or disclose PHI without patient authorization for treatment, payment, and healthcare operations. Most CEs think about their own healthcare operations, but the Privacy Rule permits CEs to release PHI to another CE—if the second CE needs the information for its healthcare operations—as long as both CEs have a relationship with the patient.
In this case, you may release patient records to the insurance company if it is auditing the accuracy of its claims payment process. This request is probably legitimate; you’ll simply need to get more information from the insurance company to ensure that this is part of its healthcare operations.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations.
Q. May a preadmission nurse leave messages (e.g., “This is a reminder that your surgery is tomorrow; please don’t drink or eat anything after midnight.”) on an answering machine or mobile phone voicemail?
A. Yes, as long as the nurse does not specify the type of surgery or the name of the practice. Leaving the name of a specialty practice or the type of surgery, especially on an answering machine, can allow unauthorized individuals access to the patient’s PHI. Asking patients beforehand whether it is okay to leave such messages on an answering machine or voice mail is always best (45 CFR 164.502[a][i]).
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum.
It never hurts to share these tips with your staff:
What HHS considers a reasonable safeguard against incidental disclosures can vary depending on the size of the covered entity and the nature of its business. In designing safeguards, healthcare organizations should consider three primary factors:
- Potential risk to patient privacy
- Impact on patient care
- Financial and administrative burdens of implementing safeguards
Common safeguards include:
- Asking the staff to speak quietly with family members in a waiting room or other public area
- Avoiding the use of patient names in public hallways and elevators
- Isolating or locking file cabinets and record storage areas
- Using password protection for computers that contain PHI
This week’s tip was adapted from The Privacy Officer’s Handbook. For more information about this book, visit the HCMarketplace.
The Sheriff’s Department calls our hospital from time to time asking if a certain person has been in our emergency room. Last week they called and asked if a certain person shows up in the emergency room to call them (the person had not committed a crime). I advised hospital personnel not to give out any patient information…am I wrong?
Another state attorney general is using new enforcement powers granted by HITECH – again, at the expense of Health Net, Inc.
The insurance giant agreed to pay Vermont $55,000 regarding its 2009 loss of a portable disk drive from the Shelton, CT, location that led to the loss of protected health information (PHI) of approximately 1.5 million people, including 525 Vermonters.
This is the second HIPAA enforcement action of its kind since HITECH in February 2009 granted state attorneys general HIPAA enforcement authority. Connecticut’s AG was first.
Health Net discovered the drive was missing May 14 but did not start notifying affected Vermont residents until more than six month later, the state AG’s office reported in a press release.
Attorney General William Sorrell’s January 14 complaint against Health Net, Inc., and Health Net of the Northeast, Inc. charges the insurer with violations of HIPAA, Vermont’s Security Breach Notice Act, and the Consumer Fraud Act. The settlement also calls for Health Net to submit to a data-security audit and file reports with Vermont regarding its information security programs for the next two years.
“Consumers expect—and the law requires—that personal information be treated with the utmost care,” Sorrell said in a statement. “Identity theft remains one of the fastest growing crimes in America. Companies must be careful to prevent Vermonters’ sensitive information, especially their medical records, from falling into the wrong hands.”
Health Net told HIPAA Update in a statement that “protecting the privacy of our members is extremely important to us.”
“Health Net has worked closely and cooperatively with the Vermont Attorney General,” according to the statement, “and we have agreed to the terms contained in the agreement filed with the court to resolve this matter, which occurred in 2009.”
To date, Health Net has no evidence that there has been any attempt to access or misuse the data, the company said in the statement.
The lawsuit is Vermont’s first enforcement action under the Security Breach Notice Act. Included in the portable hard drive were PHI, social security numbers and financial information.
The complaint filed January 14 says Health Net’s six-month delay in notifying Vermont residents violates the Security Breach Notice Act. That law requires data collectors to notify affected individuals of security breaches “in the most expedient time possible and without unreasonable delay.”
Health Net violated HIPAA by failing to secure PHI and breached the Consumer Fraud Act by misrepresenting the risk posed to affected individuals in the company’s notice letters.
The complaint and proposed consent decree were filed in the U.S. District Court for the District of Vermont. The consent decree must be approved by a judge before it takes effect.
“Health Net has taken significant steps to assure that our members are protected,” according to the statement to HIPAA Update. “We have offered two years of free credit monitoring services for all impacted members who elect this service. This service also includes $1 million of identity theft insurance coverage, as well as fraud resolution and credit and identity restoration services at no cost to the members.”
Health Net not only settled with the Connecticut state attorney general’s office (for $250,000) but also with the Connecticut Insurance Commission, which reached a settlement with Health Net in which the insurer had to pay the state $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.