Proof’s Problem with HIPAA

Proof (not to be confused with my debut medical thriller with the same title) is a medical drama starring Jennifer Beals as renowned cardiothoracic surgion Dr. Carolyn Tyler.

Dr. Tyler is recruited by billionaire Ivan Turing to investigate near death experiences (NDEs) as he is soon to face the other side due to a terminal cancer diagnosis.

Tyler is a skeptical atheist and believes death is the end– even though she’s had a NDE herself and longs to reconnect with her teenage son who died in a car accident.

Of course, Turing uses his wealth and a big donation to the hospital to obtain Tyler’s cooperation.

Through the course of her investigations, nearly every religious permutation of the after life is explored– past lives, reincarnation, and soul jumping among them.

The issue becomes when families become aware of Tyler’s investigations and want information that in real life she should never disclose. They’re clearly HIPAA violations. I’ve blogged extensively on HIPAA here, here, here, here and here!

Why is HIPAA so important? It is the law. It’s what healthcare workers are instructed (pounded into the head) to protect every single day. It’s not taken lightly. Medical people have been fired for violating a patient’s privacy by disclosing healthcare related information.

However, the television show Proof seems to not understand what HIPAA entails.

In one instance, a mother who lost her son begins to believe his soul has inhabited another child’s body because he has the same rare blood type, same rare heart condition, and was a piano playing genius. The mother latches onto him and offers to pay for his medical care.

It becomes a sticky situation because the mother who lost her child begins to overstep her bounds and Dr. Tyler begins to believe she’s at risk for kidnapping this other boy over the loss of her son.

To prevent her from taking that step, she begins to list a litany of medical reasons why this patient isn’t her son. The problem is, this mother has no right to any of this information. It is a HIPAA violation.

In another instance, Dr. Tyler convinces a wife to donate her brain dead husband’s heart. Now, she has a vested interest in this happening because one of her patient’s with a rare blood type (evidently everyone in this show has a rare blood type) has been waiting for a heart for years and is running out of time.

The wife agrees and the heart is transplanted but the patient nearly rejects the heart. When the wife of the heart donor catches wind that this has happened (she seems to be hanging around the hospital after the donation has occurred) Dr. Tyler gives her detailed medical information on how the patient who received her husband’s heart is doing.

Again, this wife, even though she donated her husband’s heart, has no right to this information. In fact, donor and recipient identities are highly protected. It’s not that these families never meet but it usually happens months after and is coordinated by the organ bank and not doctors on site.

In fiction, you can break the rules. Healthcare workers can disclose medical information but they should also face a consequence for it just like we do in real life. The plus, it dramatically increases the tension which is always the goal of any work of fiction.

HIPAA and Identity Thefts

Did you know pediatric medical records are being targeted by identity thefts?

I recently attended a staff meeting where our hospital’s privacy officer gave a talk.

I’ve blogged a lot here about HIPAA. You can check out some of those posts below.

What he said that was interesting was that identity thefts are targeting pediatric medical records because they have all the info they need and are “clean” meaning no problems with credit.

Generally, a child’s credit score isn’t checked until they are 18 so the thieves have years and years to use their information for nefarious reasons. He recommended parents check their child’s credit rating every year to make sure their identity hadn’t been stolen.

Think he’s off target? Here’s a news article from March, 2011 that discusses exactly what he’s concerned about.

To read more about HIPAA pitfalls when writing fiction– check out the following links.

HIPAA and Law Enforcement

HIPAA Part I

HIPAA Part II

HIPAA Part III

Have you ever been the victim of identity theft?

Hostages: Episode 8 Analysis 3/3

Over the past several posts I’ve been analyzing the CBS drama Hostages. These posts have concentrated on one particular episode and here are Part I and Part II.

Ellen discovers that the primary hostage takers wife is a patient at another hospital and she gives her one of the other captor’s the slip and proceeds to go over there and snoop.

The primary hostage taker’s wife is dying of cancer and desires for all treatment to stop. Her husband has begged her to press on and try one more round of chemo for the sake of their elementary school aged daughter.

Ellen finds the ill wife and she happens to be sleeping and begins to read through her chart that is located on a clipboard at the end of her bed.

Problem #1: This is a plain and simple HIPAA violation. Patient information is highly guarded and there is no way that much information is going to be out in the open for public consumption. Anyone could grab it– from our snooping doctor to housekeeping and if you aren’t directly caring for the patient then HIPAA says you have no reason to view the patient’s healthcare information.

The patient awakens and sees Ellen there. She assumes Ellen is a doctor her husband has hired to consult for an experimental medical treatment related to her cancer. Ellen wants her to go back to sleep so she grabs the patient’s PCA button and depresses it about three times and within five seconds (I counted) the patient falls quickly back to sleep.

Problem #2: Let’s just classify this section as PCA pumps in general.

A PCA pump (Patient Controlled Analgesia) functions to let the patient decide when they need pain medication. They allow the patient to stay on top of their pain before it gets out of control where it can be more difficult to temper down. They can deliver a basal rate (a small amount of medication all the time), a PCA dose (which is a bolus dose of the medication the patient decides when to self administer) or a combo of these two.

PCA pumps have safety mechanisms. The patient can only give themselves one dose every several minutes. Generally, it’s between 8-10 minutes. When our good doctor gives three subsequent doses– this is not medically feasible. No PCA pump would allow a patient to deliver that much for fear of overdose. Pumps are never set that way.

The other issue is how quickly the patient falls to sleep. IV morphine does work quickly but not THAT quickly.

Eventually, Ellen is discovered by the primary hostage taker. With her back turned to the PCA pump she is able to unlock the door and grab the syringe and threatens to inject the whole thing into his wife– thusly killing her.

Problem #3: PCA pumps are ALWAYS locked and doctor’s never have a key (unless you’re an anesthesiologist.) This is another safety feature of the pump for this very reason– we don’t want anyone accessing it and thereby overdosing the patient. The person in possession of the key would have been her bedside nurse. Newer pumps could have a key code for access.

Disasters and HIPAA

HIPAA, the patient health privacy law, is not only a medical/writing hot topic– but evidently a social media one as well.

Here at Redwood’s, I’ve blogged A LOT about HIPAA and writers violation of the act. You can read some of those posts by following the links:

My Author Beware series: Includes HIPAA basics and examples of frequent authorly violations.

Part I: http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-part-13.html

Part II: http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-part-23.html

Part III: http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-33.html

HIPAA and the Australian DJs

HIPAA and Law Enforcement

Let’s look at a recent example that was social media focused and revolved around the Moore, OK F5 tornado that struck on May 20, 2013.

People, in general, want to be helpful. That’s one reason why social media is becoming an avenue to try and locate lost people. You’ll see missing children posters and even teens/adults posting pictures in hopes of finding biological parents that may have adopted them out.

During the crisis in Moore, an “ad” (poster, plea– whatever you’d like to call it) was put up on Facebook stating that a child had been found and said child was located at a hospital and gave the hospital’s number.

What surprised me, honestly, was the backlash of some against this photo decrying HIPAA violation.

Umm. . . well . . . no. Not. At. All.

In order to have a full fledged HIPAA violation, medical information has to be disclosed with a patient’s name. Since the sign had absolutely no medical information– there was no violation. Even if it had said the child was a patient (which is did not)– there still wouldn’t have been a violation because it didn’t disclose treatment and/or diagnosis.

This is really no different than calling up the ER and asking– “Hey, is John Doe a patient there?” Giving a patient location is not a HIPAA violation. Saying, “Oh, Yea– Johnny is here and let me tell you– he’s not feelin’ that broken femur after his blood alcohol came back at 0.5.”

But I digress.

See the difference?

Let’s cut people some slack– particularly when disasters strike their communities. Recognize the heart of what they were trying to do– get parent and child back together.

And let’s all continue to pray for this community.

Author Question: Australian DJs and HIPAA

Remember the nurse who committed suicide in the wake of the Australian radio DJ’s that posed as the Queen of England to get the medical staff to disclose private details of the Duchess?

I totally get, as a nurse, why she made that choice. 

Every day, nurses face critical choices that can have dire consequences. Most often, I can say from being in this field for almost 20 years, that 99% of the time, medical people DO NOT have ill intentions toward their patients. They are not maliciously trying to harm people. Do mistakes happen . . . yes. But usually it is the result of a system wide problem.

This nurse that patched through the radio personality posing as the Queen of England probably was thinking, “Wow, the Queen! I better patch her through post haste. I wouldn’t want to do anything to upset the monarchy.” 

She may have been star-struck– I don’t know. But we don’t ask for credentials over the phone. If you say your Britney Spears’s sister– why should I doubt you?

I can understand the horror this nurse must have felt when she learned of the prank. I know she likely feared for her job. I know she likely felt horrified that that one simple action of transferring a phone call led to mass attention being drawn her way. 

Sadly, since I don’t know this nurse personally and am only guessing, this may have been the proverbial straw that broke the camel’s back. 

HIPAA issues/violations can have dire consequences for the healthcare provider. We can lose our jobs.

In short, HIPAA is a set of laws designed to protect patient’s privacy. I’ve done a series on HIPAA that you can find here:

http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-part-13.html

http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-part-23.html

http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-33.html

http://jordynredwood.blogspot.com/2012/11/hipaa-and-law-enforcement.html

However, I recently got an author’s question that kind of took a new spin so I thought I’d cover it here.

Glenda asks:
  
In the novel I’m writing (my first), I have a young mother of a four-year-old who is in a coma because of an automobile accident hundreds of miles away from her home.  There are no other next of kin other than the child.  How can a minister who’s trying to help solve a mystery get more information about her condition? Who can the doctor disclose her condition to?  What information can be disclosed under HIPAA?  If you would address that in one of your future blogs, I would greatly appreciate it.  I’ve read through a lot of information but haven’t seen anything that addresses a situation such as this. Thank you so much!

Jordyn Says:

I think it will be hard for this minister to get information unless he became the appointed legal guardian over her (since she’s incapacitated and he’s caring for her son and they can’t find any other family.) This might be a better question to run by a lawyer– how could he become her legal guardian? The hospital is going to want someone they can go to. If he served that way— they would release info to him. Likely, he’d have to fill out a request through the medical records department.


In lieu of that– likely what he would be told would be the condition. Grave, Critical, Poor, Fair, Stable, Good.– something along those lines without specific information. 

In follow-up Glenda did ask her son-in-law who is a lawyer this question and here is her information after that consultation.

Glenda says:

My attorney son-in-law said that the minister would have to go before a judge to be a guardian ad litem (in South Carolina at least) in order to get medical information on the mother and to make decisions for the child while the mother was unable to do so.  Thanks for your advice!



My pleasure, Glenda. And best of luck with this novel. 

******************************************************************************

Glenda Manus recently retired after teaching 30 years in an elementary school. Her love of reading good books prompted her to try and write one of her own. Though book writing is a challenge (Amen, sister!) she feels God is with her on the journey.
 

EMTALA and the Writer

What is EMTALA and why should I, as an author (and maybe a healthcare consumer), care about it? EMTALA, like HIPAA, sounds like a foreign language but has large ramifications for healthcare providers. Here’s a series I did on HIPAA and how it is often dealt with poorly in fiction writing.

1. http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-part-13.html
2. http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-part-23.html
3. http://jordynredwood.blogspot.com/2011/12/author-beware-law-hipaa-33.html

EMTALA stands for the Emergency Medical Treatment and Active Labor Act. It was passed in 1986 as part of the Omnibus legislation and is sometimes referred to as COBRA. COBRA is the legislation that dictates how you’re covered by medical insurance when you change jobs.

The reason behind EMTALA was to prevent patients (those covered by Medicare, Medicaid, or without insurance) from being “dumped” to other institutions because of poor reimbursement or no reimbursement on part of the patient.

When refusing care (problem #1), the patients condition can deteriorate while they’re trying to get to another hospital. This is overall, of course, bad.

This only applies to those hospitals that receive Medicare and/or Medicaid funding which is virtually all US hospitals. If a hospital is found to have an EMTALA violation– heavy fines can be imposed and hospitals can lose their government funding. If that were to happen, the hospital would likely have to close its doors.

Dr. Tanya Goodwin covered how this relates to a patient in active labor in this post.

I thought I’d talk a little about how it relates to the emergency department.

Any patient that presents to the ER must be given a “medical screening exam”. This will vary from state to state on who can provide these exams. Some may require a physician while others may be okay having an RN complete it. This is dictated by that state’s scope of practice. Here are a few previous posts that deal with scope of practice issues:

1. http://jordynredwood.blogspot.com/2011/09/perinatal-providers-scopes-of-practice.html
2. http://jordynredwood.blogspot.com/2011/08/author-beware-wrong-medical-procedure.html

If the patient does not have an emergency, the hospital can “screen” that patient out to another facility, urgent care, or their doctor’s office to be seen later.

Let’s look at a real life example. I work in a pediatric ER. We generally treat patients up to age 21. After that– they need to transition to adult care.

So, let’s say I’m in triage and a 65 y/o male presents to the ER for treatment of an uninfected ingrown toe nail. Based on our treatment guidelines– being a pediatric facility– the on-duty physician can either treat or “medically screen” the patient out because though an ingrown toe nail may be painful– it is not a medical emergency.

Now, can you do this in your manuscript? A physician is fed up with a patient and kicks him out of the ER. Is that an EMTALA violation? Did he provide an exam? Was the patient having an emergency?

As a result of this law– generally a patient who collapses (maybe a patient suffering a gun shot wound is “dropped off” at the hospital) on hospital property needs to be given care. There have been instances of this on the news where someone collapsed and based on their position in relation to hospital property– care was or was not provided. EMTALA dictates the hospital’s response in these circumstances.

For more on EMTALA– you can read here.
http://www.emtala.com/faq.htm

Have you ever dealt with an EMTALA issue in your manuscript?

HIPAA and Law Enforcement

I had a phone consultation with an author who wanted to discuss HIPPA.

As you know, HIPAA is a set of laws designed to protect patient privacy.

Here’re links to a previous series I did on HIPAA: Part I, Part II, and Part III.

His question centered around whether or not law enforcement was privy to medical info.

In the pediatric ER– we will readily discuss medical issues with law enforcement because it usually deals with us reporting child abuse.

However, I didn’t know much about how my adult ER compatriots generally approached the issue. HIPAA is difficult to understand in its entirety and most healthcare professionals are apt to err on the side of providing no information rather than get in trouble for giving out information that they shouldn’t.

Keep in mind that the main crux of this law was also to give you the power to always view your medical information. A hospital or medical provider cannot keep your records from you. Even if you are in the hospital– you should be able to ask to see documents. What the hospital may do is have a representative sit with you to “watch” you so 1. you don’t tamper with the record and 2. they can explain the medical lingo.

Unfortunately, some places make it challenging for patients to get their information. You should absolutely have to sign a medical release form. But after that, I’ve know of hospitals to state it can be up to two weeks or more for records and that they may charge you for the copying of each page. That can be frustrating experiences for families.

Pertaining to this author’s question– come to find out through a little research for said author, that HIPAA does allow for discussions with law enforcement personnel.

Here is the particular section that pertained directly to the authors question from this link:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.34

Just goes to show you what you can learn whilst doing some research!