Archive for August, 2013
Q. A physician’s office in a neighboring state calls to say it needs our ER records for a patient who is calling from home for pain medications and the office needs the records (without the patient’s written consent) before it can make a decision about the medications. There is nothing in the patient’s record that shows a relationship between the physician and the patient. Is it okay to release this information without the patient’s written authorization? Do we need to call the patient to obtain verbal permission? Should we ask the requesting provider to fax a request to us?
A. PHI may be released for treatment purposes without the patient’s written authorization or verbal permission. If the requesting provider is unknown to you or you are questioning the authenticity of the request, you may ask the provider to fax a written request on office letterhead or prescription pad. If you still have concerns about the authenticity of the request, you may contact the patient to verify that he or she wants the information released.
Chris Apgar, CISSP, president of Apgar & Associates, LLP, in Portland, Ore., answered this question for HCPro’s Briefings on HIPAA newsletter.
An unknown number of Tampa General Hospital (TGH) patients treated by University of South Florida (USF) physicians could be at risk for identity theft, according to an ABC Action News report. TGH and USF have not announced the details of the breach of PHI on their websites, but USF sent letters to affected patients to notify them that they may be at risk for identity theft, according to the news report.
Sharee Chapman was seen at TGH for hip replacement surgery May 16, according to the report. She contacted ABC Action News after receiving a two-page letter from USF. The letter stated that a USF employee was stopped by Hillsborough County sheriff’s deputies May 24 and a search of the employee’s vehicle revealed TGH patients’ Social Security numbers, names, dates of birth, and medical record numbers.
HIPAA requires covered entities to report a breach of PHI to affected individuals within 60 days of discovery. Chapman told ABC Action News that the letter she received was dated July 26 but postmarked August 13, which was nearly three months after the breach was discovered.
The employee, who has since been terminated, was not authorized to access the PHI, ABC Action News reported. The employee has not been identified. No medical records were discovered in the vehicle, but USF stated in its letter that some of the documents found were used for patient billing, the report said.
PHI of more than 4 million patients may have been jeopardized when four computers were stolen July 15 from an Advocate Medical Group administrative building in Park Ridge, Ill., according to an August 23 press release. Advocate Medical Group, a division of Advocate Health Care, has more than 1,000 physicians and 200 locations in the Chicago area. Advocate Health Care patients were not affected by the theft, Chicago Tribune reported.
The computers contained names, addresses, Social Security numbers, and dates of birth for patients seen at Advocate Medical Group from 1990 through July 2013, Kelly Jo Golson, senior vice president and chief marketing officer at Advocate Health Care, told the newspaper. The computers were password-protected, but not encrypted, said Golson. No medical records were stored on the computers and Golson does not believe they were stolen in an effort to obtain the patient data stored on them.
The medical group began sending letters to affected patients August 23 and will continue to do so through September 19, according to the newspaper. The letter was posted on www.patientnotice.org. It states that Advocate will offer credit monitoring services to those who were affected by the burglary.
The medical group’s office did not have a security alarm, according to the newspaper. However, the letter stated that a physical security presence has since been added to the building and Advocate will evaluate and reinforce security protocols.
Advocate reported the breach to HHS, OCR, local police, and the Illinois attorney general, according to the press release.
CVS Caremark rolled out their new ExtraCare Pharmacy and Health Rewards program in February as an extension of their original rewards program that offers deals on in-store products. The prescription rewards program offers pharmacy customers $5 in store credit for every 10 prescriptions filled. Each person enrolled in the prescription program can receive up to $50 in store credit annually.
A Los Angeles Times analysis of the rewards program revealed that the pharmacy is asking patrons to sign a HIPAA authorization to join the program, but the company fails to clarify the nature of HIPAA for those who may not understand it. The authorization permits CVS to record the prescription earnings of each enrollee, according to the Times. It also asks patients are to acknowledge that their “health information may potentially be re-disclosed and thus is no longer protected by the federal Privacy Rule” but does not indicate what entities the information might be shared with, the report said.
A CVS spokesman told the Times that CVS does not “sell, rent, or give personal information to any non-affiliated third parties.” However, the spokesman would not comment on whether he believed CVS was adequately describing HIPAA to customers or what the potential consequences could be for those who sign away their privacy, the Times reported. He also declined to comment on the details of the potential re-disclosure of patient information, according to the report.
Cogent Healthcare notified 32,000 patients of a data breach caused by a security lapse at M2Comsys, the vendor hired to transcribe the company’s physician notes, The Tennessean reported. PHI including physician’s name, patient date of birth, diagnosis, treatment, medical history, and medical record number were compromised when what should have been a secure website was accessible to the public May 5 to June 24, according to the report.
Cogent is a hospitalist company based in Brentwood, Tenn. The company terminated its relationship with M2Comsys as a result of the breach, according to The Tennessean. Cogent is still investigating the breach, which impacted partners and patients in 48 states, and has yet to identify who may have accessed the PHI. Patients affected by the breach will receive a one-year membership to Experian’s ProtectMyID Alert, the newspaper reported.