HIPAA

All the HIPAA Posts in One Place

/ Jordyn Redwood / Leave a comment

This post will simply be a reference tool for authors. Since I have so many posts about HIPAA, the patient privacy act, I decided to put links all in one place for your convenience. This would be a great link to bookmark.

General Information Regarding HIPAA:

HIPAA Part One
HIPAA Part Two
HIPAA Part Three

Specific HIPAA Topics:

Law Enforcement and HIPAA
Disclosing Protected Health Information Under HIPAA
Disasters and HIPAA
HIPAA and Identity Thefts
Author Beware: Proof’s Problem with HIPAA
Modern Family: Disclosing Pregnancy Results
Author Beware: HIPAA— It’s no April Fools

Remember, in a novel it’s perfectly okay for a character to violate HIPAA. In fact, in might be preferred to increase the drama/conflict in your story. Just remember, they need to face consequences for their actions, or it should be made clear that other characters are aware that the action did violate this law. This ensures the reader knows that you’ve done your research.

Author Beware: HIPAA– It’s No April Fools

/ Jordyn Redwood / Leave a comment

Image by Gerd Altmann from Pixabay

One of the biggest errors authors make in regards to writing about something medical is that their character violates HIPAA. HIPAA is a law that outlines a patient’s rights regarding their protected health information (PHI). I’ve blogged extensively on this topic and you can find these posts by following these links:

Author Beware: The Law: HIPAA  Part 1/3
Author Beware: The Law: HIPAA Part 2/3
Author Beware: The Law: HIPAA Part 3/3

HIPAA and Law Enforcement
Author Beware: Proof’s Problem with HIPAA
Disasters and HIPAA
Modern Family: S10/E7 Disclosing Pregnancy Results

The simplest way to explain a HIPAA violation is that someone accesses a patient’s information when they are not directly caring for that patient and/or discloses protected health information about a patient publicly.

Two recent stories have highlighted each of these scenarios.

The first involves actor Jussie Smollett and several dozens of hospital employees accused of viewing his medical information at Northwestern Memorial Hospital in Chicago, Illinois. They were all fired, reportedly some didn’t even open the chart, but just “scrolled by” it. The point is, with today’s technology and electronic medical records, it is very easy to determine who has accessed someone’s health information. It’s basically tracked electronically. Unless you are directly involved in caring for a patient, it is illegal for you to look at their information. I can’t even access my own children’s medical charts at the hospital where I work unless I go through the proper channels, which is signing a release for them through medical records.

The second, and perhaps more frightening case, is of the nurse who disclosed a toddler was positive for measles in the pediatric ICU where she worked and then posted about it to an anti-vaxxer group she belonged to on social media.

She didn’t give the patient’s name, sex, or exact age so she should be okay, right? Many times, people think this is a way to get around HIPAA and sometimes they can be right— it depends on the volume of such a diagnosis. For instance, if my ER sees 5,000 patients a day (which is insane– I don’t know any ER that can even possibly do this) and I say we saw a patient with a rash (and that’s it) then that doesn’t necessarily signify the one I might be talking about because there were probably dozens of patients seen with a rash that day with that volume of patients. However, I will also say this could still be considered a HIPAA violation, but let me further illustrate my point.

The more unique and rare a medical diagnosis is, the more easily it would be to identify a patient even without disclosing name, sex, or age and that is this nurse’s first problem. There was probably only one patient in the PICU that had a medical diagnosis of measles. It had likely been in the news that there were measles cases in Texas (this is frequently disclosed for the public good to encourage vaccinations), but the nurse’s information narrows down the hospital, the general age group, and just how sick he was. Then neighbors can start thinking, “Hey, we live close to Texas Children’s and I haven’t seen Billy (totally made up name) in a while and he’s a toddler—” and then phone calls go out to Billy’s mom asking if he has measles. See?

The frightening aspect of the scenario, from a purely pediatric standpoint is, that even after seeing how sick this child was, she remained an anti-vaxxer and even mused about taking a swab from the ill child’s mouth and attempting to give wild measles to her own child! For one, I consider this child abuse. I truly cannot fathom in my mind how this nurse believes giving her child the real thing is preferred over a vaccine that can prevent the entire illness.

**The safest thing for ANY healthcare worker is to not discuss their patients at home or on social media no matter how vague they try to make the scenario.**

It is also the safest thing for authors who are writing these scenarios. As I’ve always said, you can have a character that violates HIPAA in your novel, but they must face repercussions for it. The positive side of this is that it increases the conflict in your story automatically. It also shows the reader that you’ve done your research.

Modern Family: S10/E7 Disclosing Pregnancy Results

/ Jordyn Redwood / Leave a comment

This blog post does contain spoilers for episode seven/season ten of Modern Family— you’ve been warned!

On a recent episode of the wildly popular ABC series Modern Family  (which I personally thoroughly enjoy) it was disclosed that Haley Dunphy is pregnant. However, the way her pregnancy was disclosed was a violation of patient privacy.

In the episode, Haley and her boyfriend, Dylan, are playing bumper cars when he playfully rear ends her while she’s applying lipstick (yes, in the bumper car). The end of the lipstick gets shoved up her nose and breaks off leading to a trip to the ER.

Evidently, Haley was given anesthesia to remove the piece of lipstick from her nose. They also x-rayed the nose (at some point) because they tell her it’s not broken. There’s some witty banter about how the injury happened and that she and Dylan want to remain childlike as long as possible which is when the doctor says, “Oh, we did a pregnancy test prior to your anesthesia and you’re pregnant.” This was done via a blood test.

Problem One: There’s really no reason to give anesthesia in this case. We remove foreign objects from pediatric noses all the time and never give anesthesia. Anesthesia is reserved for the OR. Sometimes, a patient might need a little something to chill them out for a procedure, for which we would use nasal Versed or Fentanyl. You don’t need to start an IV and recovery is not too long.

Problem Two: Not even sure why they needed to do an x-ray for a broken off end of lipstick in the nose. I don’t think the mechanism of injury warrants even thinking the nose is broken. Lipstick is soft after all.

Problem Three: A blood test used to determine pregnancy. This is rarely done and would be used more specific to determining pregnancy where problems in early pregnancy might be the concern— such as ectopic pregnancy or early pregnancy miscarriage. In this case, a urine test would suffice.

Problem Four: These days, disclosing pregnancy results must be done very carefully. As healthcare professionals, we don’t know who the male is at the bedside and if the patients wants that male to know about the pregnancy or not. The doctor should have asked Dylan to step out of the room as she disclosed the results to Haley. Then it’s Haley’s decision about whether or not to tell her boyfriend. The same is true if we discover a teen is pregnant in the ER who might be there with her parents. The parents are asked to step out and we’ll tell the teen. It’s up to her whether or not to disclose the results to her parents. We as healthcare professionals will encourage her to do so, but it is ultimately her decision.

I think the best way to have handled this situation would have been to perform the pregnancy test prior to her getting an x-ray of her nose, but even this would be a little outside the norm because shielding her abdomen would have been easy in this scenario.

Author Question: Small Town Care for Complex Medical Patient

/ Jordyn Redwood / 2 Comments

Holly Asks:

In the very first chapter of the story I’m working on, the main character gets sent to hospital. The character in question is a sixteen-year-old female who has been missing for eleven years. She is found in the woods surrounding the town it’s set in and presents naked, severely malnourished, heavily pregnant, and with a gunshot wound to her leg. There are other superficial injuries that one might get when attempting to flee nude through dense woodland. The town and hospital are relatively small. The hospital has seventy-five doctors and forty-five nurses on staff and it’s in a fairly isolated location.

I’ve got a few questions:

1 – Would the hospital I’ve  described be able to treat a patient in this condition? What would be the basics of this treatment?

2 – Is there a procedure hospitals have in place for patients who act violent? My character hasn’t been around people for eleven years. She’s borderline feral and she attacks a doctor when she wakes up. Since she’s pregnant, I wasn’t sure if they’d be able to sedate her.

3 – Can doctors share information about patients with police officers? Since she’s a missing person and a minor, the police are going to be involved but I’m not sure how much doctors can share.

Jordyn Says:

Hi, Holly! Thanks so much for sending me your questions. These are complex ones for sure.

Question #1: Could a small town rural hospital be able to care for this patient? Maybe. One thing I want to clear up is your ratio of doctors to nurses. Usually, there are many more nurses in a given area than physicians so maybe adjust your numbers if you’re making a point about this in your novel.

When I first read your question, I thought the medical care aspects might be cared for by a rural hospital, but it was going to be a tough undertaking. This victimized teen is going to need, at a minimum, five services to be in place to stay in a rural hospital— a good general practitioner (to manage her overall care), a nutritionist (for the malnutrition), a surgeon (surgical evaluation of the gunshot wound), an OB/GYN (for the pregnancy), and a psychiatrist and/or psychologist (just because she’s been held hostage for eleven years.) Already that list is going to be tough and likely insurmountable for the area you mention.

What tilts the balance for me in saying she would have to go to a large, urban center are the psychiatric issues you mention in your second question.

Question #2: Yes, hospitals have procedures in place for violent patients, but the staff and mental health care specialists who will be required to manage her care are likely to be found at an urban center.

Violent patients are generally managed in a step-wise fashion. Can talking to them de-escalate their behavior? Is there something they’re requesting that we can give them to get them to calm down? Does she have some sort of object (like a stuffed toy) that giving her would help if it was safe for her to have?

If it’s more a fight response because of what she’s been through and she’s a danger to herself and others then she’d have to be restrained and placed under one on one observation. This type of patient can tax staffing resources which is another reason why transfer might be best.

Each drug is given a category related to its potential to harm a developing baby that is easily searchable via the internet. The categories go from Category A to Category D. Category A is deemed safest to D which has proven adverse reactions in humans. Just because a drug is listed as Category C or D doesn’t mean it might not be used. Several things would be taken into account— what we call risks versus benefits.

For instance, if she was late in her pregnancy, the doctors could risk it because the baby is fully developed. This is tough, though. Many physicians will err on the side of what’s safest for the pregnancy. However, you can’t leave a patient restrained forever and some form of psychiatric medication could be warranted here.

Question #3: Can doctors share information with police officers? Yes, they can. There is actually a special provision listed in HIPAA (the law that rules over patient privacy) that allows for this. Police officers mostly need to document what “serious bodily injury” the patient has suffered so they can determine what criminal charges to bring against a perpetrator.

The other thing to consider is the size of the local police department. Small towns may not even have their own police department but rely on the county sheriff’s office and/or state police to handle the investigation of this crime.

I actually think the best place for this teen would be the closest children’s hospital. Children’s hospitals have specialized teams in place to manage issues particularly around crimes against children. The caveat would be her pregnancy— for which she would likely deliver at an adult center.

Hope this helps and good luck with your story!

Author Beware: Proof’s Problem with HIPAA

/ Jordyn Redwood / Leave a comment

Proof (not to be confused with my debut medical thriller with the same title) is a medical drama starring Jennifer Beals as renowned cardiothoracic surgeon Dr. Carolyn Tyler.

Dr. Tyler is recruited by billionaire Ivan Turing to investigate near death experiences (NDEs) as he is soon to face the other side due to a terminal cancer diagnosis.

Tyler is a skeptical atheist and believes death is the end— even though she’s had a NDE herself and longs to reconnect with her teenage son who died in a car accident.

Of course, Turing uses his wealth and a big donation to the hospital to obtain Tyler’s cooperation.

Through the course of her investigations, nearly every religious permutation of the after life is explored— past lives, reincarnation, and soul jumping among them.

The issue becomes when families become aware of Tyler’s investigations and want information that in real life she should never disclose. They’re clearly HIPAA violations. I’ve blogged extensively on HIPAA here, here, and here.

Why is HIPAA so important? It is the law. It’s what healthcare workers are instructed (pounded into the head) to protect every single day. It’s not taken lightly. Medical people have been fired for violating a patient’s privacy by disclosing healthcare related information.

However, the television show Proof seems to not understand what HIPAA entails.

In one instance, a mother who lost her son begins to believe his soul has inhabited another child’s body because he has the same rare blood type, same rare heart condition, and was a piano playing genius. The mother latches onto him and offers to pay for his medical care.

It becomes a sticky situation because the mother who lost her child begins to overstep her bounds and Dr. Tyler begins to believe she’s at risk for kidnapping this other boy over the loss of her son.

To prevent her from taking that step, she begins to list a litany of medical reasons why this patient isn’t her son. The problem is, this mother has no right to any of this information. It is a HIPAA violation.

In another instance, Dr. Tyler convinces a wife to donate her brain dead husband’s heart. Now, she has a vested interest in this happening because one of her patient’s with a rare blood type (evidently everyone in this show has a rare blood type) has been waiting for a heart for years and is running out of time.

The wife agrees and the heart is transplanted but the patient nearly rejects the heart. When the wife of the heart donor catches wind that this has happened (she seems to be hanging around the hospital after the donation has occurred) Dr. Tyler gives her detailed medical information on how the patient who received her husband’s heart is doing.

Again, this wife, even though she donated her husband’s heart, has no right to this information. In fact, donor and recipient identities are highly protected. It’s not that these families never meet, but it usually happens months after and is coordinated by the organ bank and not doctors on site.

In fiction, you can break the rules. Healthcare workers can disclose medical information but they should also face a consequence for it just like we do in real life. The plus, it dramatically increases the tension which is always the goal of any work of fiction.

HIPAA and Identity Thefts

/ Jordyn Redwood / Leave a comment

Did you know pediatric medical records are being targeted by identity thefts?

I recently attended a staff meeting where our hospital’s privacy officer gave a talk.

I’ve blogged a lot here about HIPAA. You can check out some of those posts below.

What he said that was interesting was that identity thefts are targeting pediatric medical records because they have all the info they need and are “clean” meaning no problems with credit.

Generally, a child’s credit score isn’t checked until they are 18 so the thieves have years and years to use their information for nefarious reasons. He recommended parents check their child’s credit rating every year to make sure their identity hadn’t been stolen.

Think he’s off target? Here’s a news article from March, 2011 that discusses exactly what he’s concerned about.

To read more about HIPAA pitfalls when writing fiction– check out the following links.

HIPAA and Law Enforcement

HIPAA Part I

HIPAA Part II

HIPAA Part III

Have you ever been the victim of identity theft?

Hostages: Episode 8 Analysis 3/3

/ Jordyn Redwood / Leave a comment

Over the past several posts I’ve been analyzing the CBS drama Hostages. These posts have concentrated on one particular episode and here are Part I and Part II.

Ellen discovers that the primary hostage takers wife is a patient at another hospital and she gives her one of the other captor’s the slip and proceeds to go over there and snoop.

The primary hostage taker’s wife is dying of cancer and desires for all treatment to stop. Her husband has begged her to press on and try one more round of chemo for the sake of their elementary school aged daughter.

Ellen finds the ill wife and she happens to be sleeping and begins to read through her chart that is located on a clipboard at the end of her bed.

Problem #1: This is a plain and simple HIPAA violation. Patient information is highly guarded and there is no way that much information is going to be out in the open for public consumption. Anyone could grab it– from our snooping doctor to housekeeping and if you aren’t directly caring for the patient then HIPAA says you have no reason to view the patient’s healthcare information.

The patient awakens and sees Ellen there. She assumes Ellen is a doctor her husband has hired to consult for an experimental medical treatment related to her cancer. Ellen wants her to go back to sleep so she grabs the patient’s PCA button and depresses it about three times and within five seconds (I counted) the patient falls quickly back to sleep.

Problem #2: Let’s just classify this section as PCA pumps in general.

A PCA pump (Patient Controlled Analgesia) functions to let the patient decide when they need pain medication. They allow the patient to stay on top of their pain before it gets out of control where it can be more difficult to temper down. They can deliver a basal rate (a small amount of medication all the time), a PCA dose (which is a bolus dose of the medication the patient decides when to self administer) or a combo of these two.

PCA pumps have safety mechanisms. The patient can only give themselves one dose every several minutes. Generally, it’s between 8-10 minutes. When our good doctor gives three subsequent doses– this is not medically feasible. No PCA pump would allow a patient to deliver that much for fear of overdose. Pumps are never set that way.

The other issue is how quickly the patient falls to sleep. IV morphine does work quickly but not THAT quickly.

Eventually, Ellen is discovered by the primary hostage taker. With her back turned to the PCA pump she is able to unlock the door and grab the syringe and threatens to inject the whole thing into his wife– thusly killing her.

Problem #3: PCA pumps are ALWAYS locked and doctor’s never have a key (unless you’re an anesthesiologist.) This is another safety feature of the pump for this very reason– we don’t want anyone accessing it and thereby overdosing the patient. The person in possession of the key would have been her bedside nurse. Newer pumps could have a key code for access.

Disasters and HIPAA

/ Jordyn Redwood / Leave a comment

HIPAA, the patient health privacy law, is not only a medical/writing hot topic, but evidently a social media one as well.

Here at Redwood’s, I’ve blogged A LOT about HIPAA and writers violation of the act. You can read some of those posts by following the links: Part I, Part II, and Part III.

Let’s look at a recent example that was social media focused and revolved around the Moore, OK F5 tornado that struck on May 20, 2013.

People, in general, want to be helpful. That’s one reason why social media is becoming an avenue to try and locate lost loved ones. You’ll see missing children posters and even teens/adults posting pictures in hopes of finding biological parents that may have adopted them out.

During the crisis in Moore, an “ad” (poster, plea– whatever you’d like to call it) was put up on Facebook stating that a child had been found and said child was located at the hospital and gave the hospital’s number.

What surprised me, honestly, was the backlash of some against this photo decrying a HIPAA violation.

Umm. . . well . . . no. I don’t personally believe so.

In order to have a full fledged HIPAA violation, medical information has to be disclosed with a patient’s name. Since the sign had absolutely no medical information— there was no violation. Even if it had said the child was a patient (which is did not)— there still wouldn’t have been a violation because it didn’t disclose treatment and/or diagnosis.

This is really no different than calling up the ER and asking— “Hey, is John Doe a patient there?” Giving a patient location is not a HIPAA violation. Saying, “Oh, Yea– Johnny is here and let me tell you— he’s not feelin’ that broken femur after his blood alcohol came back at 0.5” is clearly a violation because you’ve disclosed sensitive medical information.

But I digress.

See the difference?

Let’s cut people some slack– particularly when a disaster strikes their communities. Recognize the heart of what they were trying to do— get parent and child back together.

And let’s all continue to pray for this community.

Author Question: Disclosing Protected Health Information Under HIPAA

/ Jordyn Redwood / Leave a comment

Remember the nurse who committed suicide in the wake of the Australian radio DJ’s that posed as the Queen of England to get the medical staff to disclose private details of the Duchess?

I totally get, as a nurse, why she made that choice.

Every day, nurses face critical choices that can have dire consequences. Most often, I can say from being in this field for 25 years, that 99% of the time, medical people DO NOT have ill intentions toward their patients. They are not maliciously trying to harm people. Do mistakes happen . . . yes. But usually it is the result of a system wide problem.

This nurse that patched through the radio personality posing as the Queen of England probably was thinking, “Wow, the Queen! I better patch her through post haste. I wouldn’t want to do anything to upset the monarchy.”

She may have been star-struck– I don’t know. But we don’t ask for credentials over the phone. If you say your Britney Spears’s sister– why should I doubt you?

I can understand the horror this nurse must have felt when she learned of the prank. I know she likely feared for her job (and had every right to be fearful). I know she likely felt horrified that that one simple action of transferring a phone call led to mass attention being drawn her way.

Sadly, since I don’t know this nurse personally and am only guessing, this may have been the proverbial straw that broke the camel’s back.

HIPAA issues/violations can have dire consequences for the healthcare provider. We can lose our jobs.

In short, HIPAA is a set of laws designed to protect patient’s privacy. I’ve done a series on HIPAA that you can find here. Part 1, Part 2, and Part 3.

However, I recently got an author’s question that kind of took a new spin so I thought I’d cover it here.

Glenda asks:

In the novel I’m writing (my first), I have a young mother of a four-year-old who is in a coma because of an automobile accident hundreds of miles away from her home.  There are no other next of kin other than the child.  How can a minister who’s trying to help solve a mystery get more information about her condition? Who can the doctor disclose her condition to?  What information can be disclosed under HIPAA?  If you would address that in one of your future blogs, I would greatly appreciate it.  I’ve read through a lot of information but haven’t seen anything that addresses a situation such as this. Thank you so much!

Jordyn Says:

I think it will be hard for this minister to get information unless he became the appointed legal guardian over her (since she’s incapacitated and he’s caring for her son and they can’t find any other family.) This might be a better question to run by a lawyer– how could he become her legal guardian? The hospital is going to want someone they can go to. If he served that way— they would release information to him. Likely, he’d have to fill out a request through the medical records department.

In lieu of that– likely what he would be told would be the condition. Grave, Critical, Poor, Fair, Stable, Good— something along those lines without specific information.

In follow-up Glenda did ask her son-in-law who is a lawyer this question and here is her information after that consultation.

Glenda says:

My attorney son-in-law said that the minister would have to go before a judge to be a guardian ad litem (in South Carolina at least) in order to get medical information on the mother and to make decisions for the child while the mother was unable to do so.  Thanks for your advice!

My pleasure, Glenda. And best of luck with this novel.

******************************************************************************

Glenda Manus recently retired after teaching 30 years in an elementary school. Her love of reading good books prompted her to try and write one of her own. Though book writing is a challenge (Amen, sister!) she feels God is with her on the journey.

EMTALA and the Writer

/ Jordyn Redwood / Leave a comment

What is EMTALA and why should I, as an author (and maybe a healthcare consumer), care about it? EMTALA, like HIPAA, sounds like a foreign language but has large ramifications for healthcare providers. Here’s a series I did on HIPAA and how it is often dealt with poorly in fiction writing.

1. http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-part-13.html
2. http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-part-23.html
3. http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-33.html

EMTALA stands for the Emergency Medical Treatment and Active Labor Act. It was passed in 1986 as part of the Omnibus legislation and is sometimes referred to as COBRA. COBRA is the legislation that dictates how you’re covered by medical insurance when you change jobs.

The reason behind EMTALA was to prevent patients (those covered by Medicare, Medicaid, or without insurance) from being “dumped” to other institutions because of poor reimbursement or no reimbursement on part of the patient.

When refusing care (problem #1), the patients condition can deteriorate while they’re trying to get to another hospital. This is overall, of course, bad.

This only applies to those hospitals that receive Medicare and/or Medicaid funding which is virtually all US hospitals. If a hospital is found to have an EMTALA violation– heavy fines can be imposed and hospitals can lose their government funding. If that were to happen, the hospital would likely have to close its doors.

Dr. Tanya Goodwin covered how this relates to a patient in active labor in this post.

I thought I’d talk a little about how it relates to the emergency department.

Any patient that presents to the ER must be given a “medical screening exam”. This will vary from state to state on who can provide these exams. Some may require a physician while others may be okay having an RN complete it. This is dictated by that state’s scope of practice. Here are a few previous posts that deal with scope of practice issues:

1. http://jordynredwood.blogspot.com/2011/09/perinatal-providers-scopes-of-practice.html
2. http://jordynredwood.blogspot.com/2011/08/author-beware-wrong-medical-procedure.html

If the patient does not have an emergency, the hospital can “screen” that patient out to another facility, urgent care, or their doctor’s office to be seen later.

Let’s look at a real life example. I work in a pediatric ER. We generally treat patients up to age 21. After that– they need to transition to adult care.

So, let’s say I’m in triage and a 65 y/o male presents to the ER for treatment of an uninfected ingrown toe nail. Based on our treatment guidelines– being a pediatric facility– the on-duty physician can either treat or “medically screen” the patient out because though an ingrown toe nail may be painful– it is not a medical emergency.

Now, can you do this in your manuscript? A physician is fed up with a patient and kicks him out of the ER. Is that an EMTALA violation? Did he provide an exam? Was the patient having an emergency?

As a result of this law– generally a patient who collapses (maybe a patient suffering a gun shot wound is “dropped off” at the hospital) on hospital property needs to be given care. There have been instances of this on the news where someone collapsed and based on their position in relation to hospital property– care was or was not provided. EMTALA dictates the hospital’s response in these circumstances.

For more on EMTALA– you can read here.
http://www.emtala.com/faq.htm

Have you ever dealt with an EMTALA issue in your manuscript?