ADVANCE Perspective: HIM : HIPAA

Breach Notification: Technically Speaking

Cheryl McEvoy — Wed, 18 Nov 2009 14:50:00 GMT

While researching for my encryption article, " Are You Secured? " I was struck by what I would consider a loophole in the breach notification rules. According to the new regulations, when a security breach or theft occurs, the covered entity or business...(read more)

Movies and Medical Records

Lisa Algeo — Tue, 03 Nov 2009 17:47:00 GMT

(Editor's note: The following blog was written by Mark McGraw, an associate editor on staff at ADVANCE .) It's movie night, and you're not interested in subtitles or surrealism. Maybe next week you'll go for the one with the "Winner: Best Foreign Language...(read more)

PHRs Go Overseas

Cheryl McEvoy — Thu, 29 Oct 2009 13:26:00 GMT

If you've been following Jay's blog, " XY Files in and MT World ," recently, you know there have been some frightening reports of medical records being sold overseas. It's enough to make you hunker down in the States and demand your records stay local....(read more)

AHIMA 2009: Off to Grapevine

Cheryl McEvoy — Fri, 02 Oct 2009 14:11:00 GMT

Anytime someone mentions this year's American Health Information Management Association (AHIMA) Convention and Exhibit, I immediately think of the song, "I Heard it Through the Grapevine," because, well, the event's being held in Grapevine, TX. Problem...(read more)

Public Tweets, Private Matters

Cheryl McEvoy — Wed, 16 Sep 2009 15:33:00 GMT

I'm wrapping up an extensive print and online package about social media for our September issue (Look for it next week!), and with all the reading, interviewing and, yes, tweeting I did to research the phenomenon, I thought I'd heard everything. Well,...(read more)

Privacy Problem Causes Real-Life Drama

Cheryl McEvoy — Tue, 21 Jul 2009 13:14:00 GMT

There's been quite a buzz at ADVANCE headquarters about the television phenomena "Nurse Jackie" and "HawthoRNe." Staffers wonder: is it realistic , do nurses approve of the portrayal and--at least around the HIM desk--how many HIPAA violations can they...(read more)

HIPAA be damned?

Lynn Jusinski — Tue, 14 Jul 2009 12:05:00 GMT

[Editor's note: This is a guest blog by ADVANCE for Nurses editor Lyn A.E. McCafferty, who contributes to the "ADVANCE Perspective: Nurses " blog featured on the ADVANCE for Nurses Web site.] If you think the fictional Nurse Jackie and HawthoRNe are bad...(read more)

Patient Consent Gets New Meaning

Cheryl McEvoy — Fri, 27 Feb 2009 15:37:00 GMT

It's Friday. The weekend is almost here. Friends are coming in from out of town. So of course, I'm gathering all the weird news I can to make for some interesting dinner conversation. And the great debate over patient privacy has turned up two gems:

First up, we have a story out of Omaha, NE, where Health and Human Services (HHS) is butting heads with a county historical society over patient consent. The historical society wants to release burial records from a local cemetery. Problem is, the cemetery is affiliated with a former psychiatric hospital, so anyone buried at the site was assumedly treated at the psych center.

Nebraska HHS argues that opening the burial records without patient consent would violate privacy. Short of hiring a clairvoyant or tracking down kin for the OK, HHS can only hope to protect privacy by keeping the records locked up. But the historical society says burial records should be open. The case goes to the state Supreme Court next week.

If that doesn't get your friends gabbing, take a gander at this report. Ah yes, the limitless possibilities of Facebook has proven all too tempting for two Wisconsin nurses. Faced with the rather unusual case of a patient who had a sex toy lodged in his rectum, the nurses threw compassion to the wind and took photos of his X-rays. Said photos were promptly uploaded to Facebook for all to gawk.

Whether the post was to gripe or joke, the nurses have been slapped with serious consequences; in addition to losing their jobs, they may face charges if investigators decide they violated HIPAA or the patient's rights. The photos didn't include identifying information, but by snapping the shots the nurses copied a part of the patient's medical record without consent.

My suggestion? Next time you want to click and post, stick to a safer subject. I hear fluffy dogs in sweater vests are all the rage.

HITECH Alters HIPAA

Lynn Jusinski — Thu, 26 Feb 2009 20:29:00 GMT

By now, most of us have heard a few of the details in the economic stimulus package signed by the president Feb. 17. You'll have $13 extra stuffed in your paychecks each week starting April Fool's Day, and money will go toward green initiatives. Did you know that the stimulus will also affect HIPAA?

The Wisconsin Technology Network offers up a nice rundown of how the HITECH Act will alter the provisions of HIPAA. We're working on an article for an upcoming issue on the stimulus package's affect on the HIT/HIM realm, but the above site provides an early peek into how HIPAA will be impacted. Of note, patients affected by carelessness with protected health information will receive a percentage of the penalties.

Another notable change is that business associates will be subject to civil and criminal liability under HIPAA. I wrote about the role of business associates in HIPAA in this article. Hopefully, these new additions to HIPAA will help prevent cases like the one involving Lubna Baloch from happening in the future.

Harsher HIPAA Might Not Hurt

Cheryl McEvoy — Thu, 19 Feb 2009 17:42:00 GMT

As health care advocates and political pundits commend, tank or simply expound upon privacy provisions in the stimulus package, this morning's Google alerts remind us why HIPAA is oh-so-important in the first place.

CVS Caremark Corp. has agreed to a record $2.25 million settlement following an investigation into its handling-or rather, disposal of-private patient information. Fueled by reports from an Indianapolis news station that employees were dumping pill bottle labels that contained private health information, the Department of Health and Human Services and Federal Trade Commission launched a probe into the company's practices. Investigators concluded that CVS failed to teach or follow proper protocol for disposing records that contained customers' personal information.

In addition to the settlement, CVS must implement a "robust corrective action program" over the next 3 years to meet and maintain HIPAA standards. The company also is required to monitor compliance for the next 20 years.

But as one door closes, another door opens. This time, it's 1,000 records that have jumped the threshold into public domain.

According to the Albany Times Union, a security snafu at a North Carolina transcription company left detailed patient records posted on the Internet. The records have been removed from the site, but through the magic of Google archiving, a curious info-monger could still find the records online as of yesterday, according to the report.

The posted records include about 1,000 patients who visited an Albany orthopedic practice from March through August of last year, and 300 of those include "detailed narratives," the report stated. The practice had been using the North Carolina company for transcription services.

Fines could reach up to $25,000 per violation; if criminal intent is identified, charges could bump to $250,000 and up to 10 years in prison, according to the report.

Ah, there's nothing like the warm and fuzzy feeling you get wondering if a Web trawler enjoys reading about the side effects of your back pain prescription.

A Supreme Controversy

Cheryl McEvoy — Wed, 08 Oct 2008 19:02:00 GMT

Privacy issues are tipping the scales of justice as the Supreme Court of Ohio will determine whether private health information can be released in a civil case against Planned Parenthood. The parents of a minor who got an abortion at Planned Parenthood of Southwest Ohio are seeking the medical records of women who got abortions at the facility over the past 10 years. According to the Cincinnati Enquirer, the parents believe the facility neglected its obligation to report sexual abuse after their daughter, who was 14 years old at the time, informed the clinic that the father was her 21-year-old soccer coach. The parents also allege that the clinic failed to obtain their consent for the procedure.

While abortion is already a hot button issue, this particular case packs the added wallop of patient privacy. Attorneys are calling to release not only the daughter’s medical records, but also medical details of countless other women. They contend that past patients’ medical records may prove a pattern of failure on the clinic’s part to report cases of statutory rape and other sexual abuse. The article did not state whether these women would be notified about the release.

As my nursing friends would say—Holy HIPAA!

The article indicates that any identifying information would be erased before releasing the records, but controversy is nevertheless brewing. Aside from the expected pro-life/pro-choice throw-down among readers’ comments, one individual raised the point that private medical information is often released for research purposes, as long as patient anonymity is ensured. Releasing information to aid the Planned Parenthood civil suit, the commenter claimed, is no different.

Let’s be honest, though—we’re not dealing with apples and oranges. The reasoning is noble: if the clinic has failed to report abuse, repercussions can be addressed. Yet rifling through 10 years of records, unbeknownst to the patients, still reeks of invasion. And if women catch wind of it, as one justice pointed out, they may avoid the clinic altogether.

So do attorneys have a right to demand the records of Planned Parenthood’s previous clients? Should they be required to obtain consent before releasing information? Or does anonymity reign supreme over the wealth of privacy regulations? I’ll leave it for the justices (and perhaps a few brave readers) to mull over.