HIPAA Issues: Occurring Every Day in Medical Practices

Something happened last week that I wanted to share with all of you.

I went in for a routine exam at my physician's office. After being called back from the waiting room, someone placed me in another small room adjacent to the front office area. My blood pressure and heart rate were taken, and as I waited for my physician I was witness to something very disturbing that you will need to make sure is NOT happening in your office.

A back office staff member was looking at the schedule and very loudly said, “John Doe is here?! He can't come back here. He owes us $25 from his last visit six month ago. I was going to send him to collections!” Then began the verbal berating about how the patient is lazy and irresponsible. She continued to discuss his condition as “all mental.” Since there was only one gentleman in the waiting room area, it was not hard to figure out who she was talking about.

Now, whether any of that was true or false regarding the patient, or merely her perception, there is something we are all aware of called HIPAA privacy laws. They are there to protect the patient. If you do not have a copy of HIPAA in your office, I suggest you do that as soon as possible. Perhaps it's also time to review with your staff what that law entails. The above scenario happens. Untrained employees often talk about patients, even outside of the workplace. This is a very big problem to have in your practice and if Mr. Doe had heard what I heard, a lawsuit would be pending by day's end.

As I was moved to another room and my physician arrived, I explained what I had just witnessed. She was shocked and appalled. She could not believe anyone on her staff would ever say such a thing about one of her patients, or in front of another patient. I can only hope that she followed up with her staff as promised, as I am hesitant to return to that office with such a blatant disregard for privacy laws.

Let's review what this law entails (full information here):

“The Privacy Rule protects all 'individually identifiable health information' held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information 'protected health information (PHI).'

'Individually identifiable health information' is information, including demographic data, that relates to:
• the individual’s past, present or future physical or mental health or condition,
• the provision of healthcare to the individual, or
• the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g."

It's really as simple as reviewing your policies, protecting your practice and your patients. Educate your staff and follow up with any complaint of privacy infraction.

Find out more about P.J. Cloud-Moulds and our other Practice Notes bloggers.