Archive for January, 2014
Q: I am a registered nurse who received treatment for a health problem in the ED of the hospital where I am an employee. On my way to the ED, I informed my supervisor that I would not be able to work that evening due to my health problem. She requested that I obtain a return-to-work note, but I forgot to ask the ED physician for one prior to discharge. I was able to obtain the note the following day, at which time the physician informed me that my supervisor called him the evening of my discharge to ask if I requested the note. My supervisor says she has the right to validate the note. Is this a HIPAA violation?
A: Let’s analyze this as if you worked at your local discount store and called in sick. If you brought a return-to-work note back to your employer and he or she believed it to be a forgery, the employer could call to verify that the document came from the provider. However, in your case you did not get a note, so there was nothing to verify. Also, the employer would only be able to verify that it was a bona-fide document; no other PHI could be released without your permission.
What is problematic here is that the line between HR and healthcare is blurred. You have the right to seek care in your ED (or anywhere else in your facility) and to not have your supervisor use his or her position to obtain information about you (unless he or she needs it because she is also providing care to you).
Editor’s note: This question was answered by Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, N.H. This information does not constitute legal advice. Consult legal counsel for answers t j o specific privacy and security questions. Send your HIPAA questions to Associate Editor Jaclyn Fitzgerald at firstname.lastname@example.org.
Officials at Phoebe Putney Memorial Hospital in Albany, Ga., recently terminated two employees for HIPAA Privacy Rule violations that led to the theft of a password-protected unencrypted computer, the Albany Herald reported.
The hospital announced January 3 that a password-protected, unencrypted desktop computer containing PHI of patients treated from May 2010 to October 2013 was missing from its outpatient behavioral health clinic. The computer may have contained patient names, addresses, dates of birth, dates of service, diagnoses, and some Social Security numbers, the article said.
A police report stated that at 7:30 p.m., November 5, 2013, a clinic employee placed a computer in a box, moved it into the hallway, and intended to relocate it to a spare office the following day. However, the box was not where the employee left it when she returned the next day. A janitor reportedly took the box to the dumpster because he thought it was trash, but no one was able to locate it, according to the Albany Herald.
Thank you for your feedback!
Q: Our organization color-codes patient files according to referral source and type. We use a specific color for Medicaid patients. We use these charts primarily for billing documentation and correspondence purposes because most session notes are on an electronic system. Does using color-coded charts to distinguish patient types violate HIPAA?
A: HIPAA does not prohibit color-coding patient charts. However, ensuring that the color key is not readily accessible to visitors, other patients, and family members is important, as is ensuring that charts are not in plain sight where unauthorized individuals can view patient names. For example, if the charts of patients seeking treatment for HIV/AIDS are uniquely color-coded and an unauthorized individual could easily determine the diagnosis associated with the color, a chart left out where only the patient name is visible could be used to easily identify a patient’s condition. In the end, it’s a matter of securing charts versus the use of colors or numbers to identify classes of patients.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLP, in Portland, Ore., answered this question. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Please email your HIPAA questions to Associate Editor Jaclyn Fitzgerald at email@example.com.
The North Carolina Department of Health and Human Services (DHSS) recently released a statement announcing that 48,752 new Medicaid cards were mailed to incorrect recipients.
Under new eligibility rules, 70,253 children in North Carolina were transferred from NC Health Choice to Medicaid, prompting the North Carolina DHHS to mail new Medicaid cards to children affected by the transition. The cards include each child’s name, Medicaid identification number, date of birth, and primary care physician, according to the statement.
The North Carolina DHHS said that it will issue new cards to affected Medicaid beneficiaries and that it is working to monitor incorrectly mailed cards for evidence of fraud.