If you're like me, you didn't know what the term HIPAA (pronounced "hip-a") meant until you had cancer.
The first few times medical people used the word HIPAA in conversation with me, they used it as an excuse to say no to something I was asking them to do. As in:
"Oh, we can't give you those records. It would be a HIPPA violation."
Or:
"We can't discuss your mother's cancer on the phone without a signed release--that would be a HIPAA violation."
Or:
"No, you can't e-mail your doctor. That would be a HIPAA violation."
The woman who handled my medical bills for several years, Kelly, needed a signed release from me for each health-care provider and insurance company before they would talk to her about my medical bills. And, of course, they needed a new one every calendar year. This meant a lot more work and hassle for Kelly and for me, of course.
So for a long time I figured that HIPAA was something hospitals and medical centers dreamed up to help them give patients the run-around.
Whose Privacy?
You may still not know what HIPAA means--and that's OK--but you probably have figured out that it has something to do with patient privacy. Your cancer center probably has notices on the wall about how hard the staff is working to protect your privacy.
But meanwhile, all sorts of privacy violations are happening right, left, and center.
I once had a social worker (at the Seattle Cancer Care Alliance) notice me when she got in an elevator at SCCA and say, "Oh, Jeanne, your cancer is stage IV, right?"--in front of a whole elevator-full of folks.
Earlier, she and I had had a couple of conversations about financial assistance, and when she saw me in the elevator, she just blurted this out. A HIPPA violation? You bet.
Did I report her? Nah.
I had a much more serious HIPAA violation happen at SCCA several years ago, and I DID report that one, and took it all the way to the Office of Civil Rights, which oversees HIPAA, only to have them soft-ball their findings. So I don't have a lot of faith in HIPAA.
My point here is just to document HIPAA violations as they occur--as a way of holding cancer centers accountable.
Security at the Fax Machine
Here's another one, also from SCCA.
A couple of years ago, an oncologist whom I saw briefly after Dr. Livingston left SCCA for Tucson decided that I should see a shrink. After my appointment, he faxed his report--which said I was just fine, thank you very much--over to my regular therapist, and ... wait for it ...
Along with my report, my therapist received a psychological evaluation of ANOTHER PATIENT.
Unbelievable.
Whoever faxed the report faxed this other patient's report along with mine. We considered reporting it, but in the end my therapist just tore it up and threw it away.
Whose Got My Records?
Still at the fax machine, Teri, the Cheeky Librarian, mentioned in an e-mail this morning that a copy of her records had been faxed to the wrong doctor, a former primary-care doctor of hers, I believe.
She asked her doctor why her records were sent to this doctor, and says of his reply: "He hasn't a clue. So much for HIPAA, and medical records confidentiality."
My all-time favorite HIPAA violation is this simple one, also from SCCA (this one has been fixed, by the way):
Patients pay to park at SCCA, but if you have a sticker, you pay a reduced rate. In order to get a parking sticker, however, you had to sign your name on a clipboard that was lying on the front reception counter at the cancer center.
So anyone else who came in and wanted parking validation--or who just happened to stop at the front desk--could see who else had been there that day and could assume that anyone whose name was on the page was being treated for cancer.
HIPPA violation? Oh yeah.
(By the way, I used to sign "Bill Clinton." No one ever noticed.)
Read more:
@ Jeanne Sather 2008.
As proof that I carry around my own Bermuda Triangle, I offer this update on my records malfunction. My records had been sent to a doctor in my old hometown, but a doctor I had NEVER gone to for treatment. He is an Internal Medicine guy; my records were about a skull operation. I called today to see how the mixup might have happened, and found this out: his name is really close to my radiation oncologist's name when heard on a transcription recording. As best as anyone can figure, the transcriptionist Googled the name they heard on the recording, and accidentally found the doc from my old hometown, and entered his info (it could have easily been someone in another different town). So it was a string of coincidences that resulted in my records being sent out of state. The wrong doc has been called and asked to shred my records, once they haul them out of storage. Everything has been handled, and I figure they will make this into a lesson of why one shouldn't start looking up doctors' names willy-nilly, but should contact the originating doctor for verification before recording the name in the permanent record. Weird - I has it.
Posted by: Teri | August 26, 2008 at 08:35 PM
Good morning Bill. :) Thanks for writing such incredibly informed and helpful articles here. Have a beautiful day.
Posted by: Jacqueline | August 27, 2008 at 05:13 AM
I got a good one for you, as a fairly new patient.
I went to my new oncologist's office, and, at my scheduled appointment time, someone I had never seen before stood in the middle of the floor and called "Susan."
Since I don't use that form of my name, and there are a LOT of Susans around, I waited and looked around for a few minutes (very full waiting room), until they called "Susan" again, and asked if they were calling me.
The nurse then asked how how I would like to be addressed. I said Mrs. Wallace (I'm old-fashioned). No, she says, it's a violation of HIPPA to call a patient's name in the waiting room.
I told her that was bullshit.
The onc and I talked about this - it seems that in our medium-sized town, many patients prefer not to have their name called in a cancer practice.
OK, but that's not HIPPA!
Posted by: Sue Wallace | August 27, 2008 at 10:54 AM
Well, why not sign Bill's name? He signed HIPAA into law.
My thing is I'm not quite sure, even after having worked at a hospital when HIPAA came into effect (and having to endure all of the mandatory "education"), where HIPAA ends and generalization about privacy starts. I think most hospital employees received the same glossover that I did, and consequently they use HIPAA to describe any privacy issue, HIPAA or no, if it works to their advantage.
HIPAA's quite a hot button with the execs, but if you pulled a random employee aside and quizzed them, I'm guessing you won't get a more sophisticated answer than, "Uh, it's about patient privacy?" I'm sure there were exceptions, but our mandatory education wasn't exactly thorough. They just wanted to check us off the list.
Our local ER makes us write our name, social security number and what's wrong with us on a clipboard on the countertop. I'm fairly sure that's a violation of SOMETHING.
Posted by: Amorette | August 28, 2008 at 02:32 PM
Amorette--what happens if you refuse to give your SS number? Will they treat you?
Because letting that out os the first step toward identity theft. When I am given medical forms to fill out, for me or the kids, that ask for SS numbers, I just leave them blank. But now that I am on Medicare, I think I have to use my SS again ...
Posted by: jeanne | August 28, 2008 at 04:17 PM