Archive for HIPAA Weekly Advisor
Q. How does the HIPAA privacy rule coincide with the new Red Flags Rule, which requires providers with covered accounts to contact law enforcement if the provider suspects identity theft? May providers release PHI or discuss the patient’s case with law enforcement officials?
A. The Red Flags Rule does not require you to notify law enforcement officials of suspected identify theft. Instead, the rule permits you to do so. Most states' identity theft protection laws allow this as well. Informing law enforcement officials about a PHI breach and its nature does not violate HIPAA. Patient authorization is necessary before you disclose any specific identifiable information to law enforcement officials. Absent specific authorization, release of PHI to law enforcement would violate the HIPAA privacy rule.
Advising patients to contact law enforcement is the best course of action. If warranted, notify law enforcement of the breach and provide the perpetrator’s name if known, but don’t provide a list of affected patients.
Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.
Following the recent declaration for H1N1 flu as a national health emergency, the government posted a number of documents that have HIPAA implications, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ.
Ruelas points to this document on the CDC Web site that summarizes other related documents online.
“Many of these documents help clear up questions on whether the subsequent 1135 waivers suspend HIPAA, the time frame related to these waivers, and those provisions of the HIPAA privacy rule where the Secretary of HHS may waive sanctions and penalties,” Ruelas says.
Q. An anticoagulation clinic might offer group classes for newly enrolled patients. The classes would include the effects of the patient’s diet and over-the-counter medications, the effects of prescription medication on anticoagulation medication dosing, safety measures, review of conditions requiring anticoagulation medication, and potential complications and side effects of anticoagulation therapy.
If we don’t discuss specific individual information in the group setting, are we still at risk for a potential HIPAA violation?
A. As long as you inform the newly enrolled patients in advance that other patients requiring anticoagulation therapy will attend voluntarily, you will not be in violation of the HIPAA privacy rule. Mandatory attendance could represent a HIPAA privacy rule violation because you would be exposing patients to other patients with similar conditions. Patients’ voluntary attendance indicates to others present that they or their family members take anticoagulation medication.
Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.
Q. May a hospital provide its foundation with a list of recent patients for fundraising purposes?
A. The hospital can supply its foundation with patient demographic information and the dates it provided healthcare. However, any fundraising letter must include language informing patients that they may opt out of future fundraising activities, and the hospital and its foundation must cease any further fundraising communication to patients who opt out.
Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.
Pittsburgh insurer Highmark, Inc., an affiliate of Blue Cross-Blue Shield, is notifying 50,000 doctors that their personal information may be exposed a laptop owned by a Blue Cross-Blue Shield Association worker was stolen this past summer, the Pittsburgh Tribune-Review reports.
Lisa Martinelli, Highmark, Inc.'s chief privacy officer, told the Tribune-Review the information included either Social Security numbers or tax identification numbers.
The employee unencrypted a database and downloaded provider information to a personal laptop. The laptop was stolen from the employee's vehicle in late August in Chicago, Blue Cross-Blue Shield Association headquarters.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!