*Nothing below is meant to be considered as legal advice.
As a lawyer I focus on HIPAA (the Health Insurance Portability and Accountability Act). I’ve written about HIPAA in cloud based computing for IBM, I’ve trained providers as to how to be compliant, I’ve audited technology companies for compliance, I’ve blogged on Privacy Questions. Most providers I see do not realize this. Thus it is somewhat ironic when I encounter a HIPAA violation as a patient. And recently, I’ve encountered no less than 4 HIPAA violations in the last 4 months. Violations of disclosing hospital records, security of patient portals, text messaging, and marketing.
In short, HIPAA consists in part of the Privacy and Security Rules. These rules give patients protections as to how their information is used, stored, and disclosed. These rules were updated last year under the HITECH (Health Information Technology for Economic and Clinical Health) which strengthened these provisions, breach notification laws, and penalties for violation.
Health and Human Services currently lists 931 breaches that have affected 30.6 million people. But these are mainly before the new HITECH rules came out which are stricter. Most people hear about HIPAA breaches when a provider has lost an unencrypted computer or flash drive containing patient information. But violations are not just losing information. They include the ones I have encountered below.
In February, I was in the hospital which turned into one of my worst nightmares. I started writing about the events and how they weren’t meant to be. But was also not meant to be was an unauthorized disclosure of another patient’s records to me.
Because of all the issues with my care, I requested a copy of my medical records so I could review where things went wrong and what issues still needed to be addressed. As I got to the bottom of the huge stack, I came across a report and discharge instructions for someone who clearly wasn’t me. I immediately contacted the hospital, the physician whose name was on the report (a doctor of a practice that contracts with the hospital), and the Office for Civil Rights to file a complaint on behalf of the other patient.
The information wasn’t what I would consider very sensitive, but it was still their information that I should not have been privy to. The hospital got back to me immediately and I was able to send them back the hard copies of the documents so they could personally shred them. The hospital said the error likely occurred because they are moving offices and somebody didn’t check the printer to see if something else was also printed at the same time my records were. No excuse.
The hospital did not think the provider needed to be contacted, saying it was the hospital’s fault – but I think that is not true and felt it my duty to inform the provider as well because ultimately they have a responsibility to their patient regardless. The physician was glad to know.
I was able to look up this patient by the information on the documents which was not all that detailed. But all I could think was, what if this were my information??? A lot of my information from that hospital stay was incredibly personal. What if that got into the hands of someone who would publish that information. Or what if they used my information to steal my identity?
After all the errors made in my own care, I was appalled by this HIPAA breach. As of yet, I am waiting to hear the results of the hospital’s and physician’s internal review and resolution.
Electronic Health Records
Patient portals can be a great tool. While they are generally not as useful as they could be (and hopefully will be as time goes by), they provide a simple way to communicate with patients, share lab results, and keep track of medical visits. I always sign up for the patient portal when my doctor provides that option. And that’s what I did at a new provider that is associated with Seton HealthCare.
At the office, I was given a form explaining the portal and asking me to consent and provide my email. Then they would send me a username and password to set up an account. I filled it all out but never received an email. So I called to follow up. Turns out they had entered my email in incorrectly and sent the information to another person’s email.
To fix this was no easy feat. I had to go back and forth between the office and the privacy officer at Seton. I had to ask them to go back in and review whether anyone had in fact accessed my information by setting up an account. Then there was an issue with them changing my email in the system. Then there was an issue of resending the account information for me to set it up.
I was lucky – according to the audit performed by Seton whomever received the initial email did not access my account. But I honestly still worry.
There are 2 things they could have done to avoid this error. First, they should have repeated my email back to me immediately to make sure it was readable and they had entered it in their system correctly. Second, they shouldn’t be emailing the username and password. I have found that other providers give you a username and password at your visit so you can take it home and login yourself.
The providers are now reevaluating their processes. Though I think, the vendor who created the patient portal bears some responsibility for a usability issue with their product because it should not have been so hard to remedy, I doubt they will be asked to review this incident. They are not only selling a product based on a promise of security, they are business associates and held to the same standards as providers under HIPAA and HITECH.
Text messaging and HIPAA is a complicated and oft debated matter. Some lawyers will claim it is okay under HIPAA, I disagree.
In January, I scheduled to see an orthopedist and a few days before I went in for my first appointment I received a text message to remind me that I was to come in at 10:10am on 1/13/14 to see Dr. Taylor at his Round Rock location and to reply Y or N to confirm the appointment. I had to reschedule and got another text message with the date, time, physician and location. I had never consented to text messages.
As soon as I arrived for that appointment, I asked to talk to the office manager about this violation. Her defense was (a) “all other practices do it”, and (b) she didn’t think it contained protected health information. I explained to her that just because other practices do it (including the one below who made a marketing HIPAA violation) does not mean it is not a violation. And that protected health information includes information that links to the patient regarding appointments and the doctors name. The doctor told me he had nothing to do with it and it was not his responsibility. I told him it was, because these are HIS patients being text messaged and he could get in trouble. He told me if he were to get in trouble, he’d just quit.
I tried to appeal them as to why this might be important. I wasn’t mad, but I was thinking of my personal and professional experiences who have suffered abuse. Consider an individual whose abuser breaks their elbow and needed to see a doctor. What if that abuser saw the text message, started questioning the patient about this visit and abuses the patient further? This is not a hypothetical situation. It is real for many who are abused. Just because it is on the patients phone does not mean that someone else does not have access to that phone. And text messages are not secure by any means.
It took tweeting the practice over and over and over again to get their attention to address this as I was summarily dismissed by the practice manager and doctor – no one called back. I finally talked to their lawyer (a colleague in the community) who first asked me to stop tweeting about it and then said that since he had just been to a conference on HIPAA, he felt that HIPAA was okay. I do not know if they readdressed their policies and procedures – I hope so, for the sake of those who may suffer for their inability to consider the consequences of their actions.
When I opened up my email this morning, I was surprised to find a “newsletter” from an OB/GYN practice where I am no longer a patient (and haven’t been for years). The newsletter was more of a marketing communication than informational. It asks me to consider their weight loss program and other services. They say the “newsletter” will be monthly and will “share with you tips, breakthroughs and insights that we are excited about and wish to extend to the entire RWG family.” I can only wonder which tips, breakthroughs, and insights will include sponsored ads or marketing information in the future?
Under HIPAA, providers must get permission to use protected health information for marketing purposes. Marketing is defined as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Patients must give an explicit consent, not just an ability to opt out. And patients must be informed of this in the practice’s Notice of Privacy Practices (this practice hasn’t even updated their NOPP since 2012 and do not contain provisions to comply with the HITECH Act rules).
I don’t know if it concerns me more that they are sending a marketing communication without my consent and disclosing my information to a third party for that purpose (the email said to contact a third party about the communication) or that they are using my information when I am no longer their patient. Either way, I find this unacceptable and filed yet another complaint with the OCR. I have contacted the practice by phone and tweeted them too. They responded to my tweets that I can just opt out.
I am truly shocked by these violations – both the number of violations and how easily they occurred. I know there are a lot of rules under HIPAA for keeping information private and secure, but there aren’t so many that is unmanageable and most have been in place since 2003. Certainly there are problems with the law (mostly in my view with patients getting access to their own records). But we must remember that HIPAA is ultimately about establishing trust. These rules are not in place to provide a serious hassle but to ensure that patients can feel safe in disclosing sensitive information to their providers. If patients cannot talk to their doctors and feel confident this information will be protected, they will not receive the care they need.
I am troubled knowing how easily my information can be shared – an printout inadvertently sent to another patient, an individual accessing my patient portal, an abuser seeing a text message about my treatment, a practice that sells my information years after I stop seeing them. I am generally very open and lenient when it comes to my own privacy, but this isn’t just about me – this is about all patients who have rights because this is our information, their health, their lives.
To learn more about HIPAA and HITECH visit the OCR website.
If you have a complaint concerning your or someone elses protected health information, you can file a complaint online, call 1-877-696-6775, or send a letter to the U.S. Department of Health and Human Services Office for Civil Rights, 200 Independence Avenue, S.W., Washington, D.C. 20201.