Author Beware: HIPAA– It’s No April Fools

Image by Gerd Altmann from Pixabay

One of the biggest errors authors make in regards to writing about something medical is that their character violates HIPAA. HIPAA is a law that outlines a patient’s rights regarding their protected health information (PHI). I’ve blogged extensively on this topic and you can find these posts by following these links:

Author Beware: The Law: HIPAA  Part 1/3
Author Beware: The Law: HIPAA Part 2/3
Author Beware: The Law: HIPAA Part 3/3

HIPAA and Law Enforcement
Author Beware: Proof’s Problem with HIPAA
Disasters and HIPAA
Modern Family: S10/E7 Disclosing Pregnancy Results

The simplest way to explain a HIPAA violation is that someone accesses a patient’s information when they are not directly caring for that patient and/or discloses protected health information about a patient publicly.

Two recent stories have highlighted each of these scenarios.

The first involves actor Jussie Smollett and several dozens of hospital employees accused of viewing his medical information at Northwestern Memorial Hospital in Chicago, Illinois. They were all fired, reportedly some didn’t even open the chart, but just “scrolled by” it. The point is, with today’s technology and electronic medical records, it is very easy to determine who has accessed someone’s health information. It’s basically tracked electronically. Unless you are directly involved in caring for a patient, it is illegal for you to look at their information. I can’t even access my own children’s medical charts at the hospital where I work unless I go through the proper channels, which is signing a release for them through medical records.

The second, and perhaps more frightening case, is of the nurse who disclosed a toddler was positive for measles in the pediatric ICU where she worked and then posted about it to an anti-vaxxer group she belonged to on social media.

She didn’t give the patient’s name, sex, or exact age so she should be okay, right? Many times, people think this is a way to get around HIPAA and sometimes they can be right— it depends on the volume of such a diagnosis. For instance, if my ER sees 5,000 patients a day (which is insane– I don’t know any ER that can even possibly do this) and I say we saw a patient with a rash (and that’s it) then that doesn’t necessarily signify the one I might be talking about because there were probably dozens of patients seen with a rash that day with that volume of patients. However, I will also say this could still be considered a HIPAA violation, but let me further illustrate my point.

The more unique and rare a medical diagnosis is, the more easily it would be to identify a patient even without disclosing name, sex, or age and that is this nurse’s first problem. There was probably only one patient in the PICU that had a medical diagnosis of measles. It had likely been in the news that there were measles cases in Texas (this is frequently disclosed for the public good to encourage vaccinations), but the nurse’s information narrows down the hospital, the general age group, and just how sick he was. Then neighbors can start thinking, “Hey, we live close to Texas Children’s and I haven’t seen Billy (totally made up name) in a while and he’s a toddler—” and then phone calls go out to Billy’s mom asking if he has measles. See?

The frightening aspect of the scenario, from a purely pediatric standpoint is, that even after seeing how sick this child was, she remained an anti-vaxxer and even mused about taking a swab from the ill child’s mouth and attempting to give wild measles to her own child! For one, I consider this child abuse. I truly cannot fathom in my mind how this nurse believes giving her child the real thing is preferred over a vaccine that can prevent the entire illness.

**The safest thing for ANY healthcare worker is to not discuss their patients at home or on social media no matter how vague they try to make the scenario.**

It is also the safest thing for authors who are writing these scenarios. As I’ve always said, you can have a character that violates HIPAA in your novel, but they must face repercussions for it. The positive side of this is that it increases the conflict in your story automatically. It also shows the reader that you’ve done your research.

HIPAA and Identity Thefts

Did you know pediatric medical records are being targeted by identity thefts?

I recently attended a staff meeting where our hospital’s privacy officer gave a talk.

I’ve blogged a lot here about HIPAA. You can check out some of those posts below.

What he said that was interesting was that identity thefts are targeting pediatric medical records because they have all the info they need and are “clean” meaning no problems with credit.

Generally, a child’s credit score isn’t checked until they are 18 so the thieves have years and years to use their information for nefarious reasons. He recommended parents check their child’s credit rating every year to make sure their identity hadn’t been stolen.

Think he’s off target? Here’s a news article from March, 2011 that discusses exactly what he’s concerned about.

To read more about HIPAA pitfalls when writing fiction– check out the following links.

HIPAA and Law Enforcement

HIPAA Part I

HIPAA Part II

HIPAA Part III

Have you ever been the victim of identity theft?

Disasters and HIPAA

HIPAA, the patient health privacy law, is not only a medical/writing hot topic, but evidently a social media one as well.

Here at Redwood’s, I’ve blogged A LOT about HIPAA and writers violation of the act. You can read some of those posts by following the links: Part I, Part II, and Part III.

Let’s look at a recent example that was social media focused and revolved around the Moore, OK F5 tornado that struck on May 20, 2013.

People, in general, want to be helpful. That’s one reason why social media is becoming an avenue to try and locate lost loved ones. You’ll see missing children posters and even teens/adults posting pictures in hopes of finding biological parents that may have adopted them out.

During the crisis in Moore, an “ad” (poster, plea– whatever you’d like to call it) was put up on Facebook stating that a child had been found and said child was located at the hospital and gave the hospital’s number.

What surprised me, honestly, was the backlash of some against this photo decrying a HIPAA violation.

Umm. . . well . . . no. I don’t personally believe so.

In order to have a full fledged HIPAA violation, medical information has to be disclosed with a patient’s name. Since the sign had absolutely no medical information— there was no violation. Even if it had said the child was a patient (which is did not)— there still wouldn’t have been a violation because it didn’t disclose treatment and/or diagnosis.

This is really no different than calling up the ER and asking— “Hey, is John Doe a patient there?” Giving a patient location is not a HIPAA violation. Saying, “Oh, Yea– Johnny is here and let me tell you— he’s not feelin’ that broken femur after his blood alcohol came back at 0.5” is clearly a violation because you’ve disclosed sensitive medical information.

But I digress.

See the difference?

Let’s cut people some slack– particularly when a disaster strikes their communities. Recognize the heart of what they were trying to do— get parent and child back together.

And let’s all continue to pray for this community.

HIPAA and Law Enforcement

I had a phone consultation with an author who wanted to discuss HIPPA.

As you know, HIPAA is a set of laws designed to protect patient privacy.

Here’re links to a previous series I did on HIPAA: Part I, Part II, and Part III.

His question centered around whether or not law enforcement was privy to medical info.

In the pediatric ER– we will readily discuss medical issues with law enforcement because it usually deals with us reporting child abuse. Police also need information so they know the degree of serious bodily injury (or SBI) to determine if charges should be pressed.

However, I didn’t know much about how my adult ER compatriots generally approached the issue. HIPAA is difficult to understand in its entirety and most healthcare professionals are apt to err on the side of providing no information rather than get in trouble for giving out information that they shouldn’t.

Keep in mind that the main crux of this law was also to give you the power to always view your medical information. A hospital or medical provider cannot keep your records from you. Even if you are in the hospital– you should be able to ask to see documents. What the hospital may do is have a representative sit with you to “watch” you so 1. you don’t tamper with the record and 2. they can explain the medical lingo.

Unfortunately, some places make it challenging for patients to get their information. You should absolutely have to sign a medical release form. But after that, I’ve known of hospitals to state it can be up to two weeks or more for records and that they may charge you for the copying of each page. That can be frustrating experiences for families.

Pertaining to this author’s question– come to find out through a little research for said author, that HIPAA does allow for discussions with law enforcement personnel.

Here is the particular section that pertained directly to the authors question from this link:

Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.34

Just goes to show you what you can learn whilst doing some research!

Author Beware: The Law– HIPAA (Part 2/3)

Situations involving minors can be an easy way to increase conflict in your manuscript. Here is an easy area to use.

Minors presenting to the ED for evaluation of a pregnancy or STD related complaint.

Here’s a set-up. Mother brings her 14 y/o daughter in to “get checked for pregnancy”. Okay, great. Already we have inherent conflict. After all, if the daughter was in agreement about allowing her mother to know this information, they could have done a home pregnancy test and matter solved.

At times, parents will bring their children to the ER thinking that, because they’ve signed them in as a patient and they’re the parent, we’ll have to do as they ask and they’ll learn the information that way.

This isn’t the case. Will we do the pregnancy test? Maybe. The patient has to be willing. Will we relay the pregnancy test results to the parent? If the 14 y/o patient says “no” then we will not.

Most states have laws surrounding minors and issues related to pregnancy or STD’s is protected information and can only be released to the patient. Depending on the state, the cut-off is 13 or 14 years. This is different from us giving information about a follow-up culture for strep throat.

I’ve had parents call back for these types of test results. Nope, can’t give you the information.

Another area is that minor patients can sign themselves into the ER without parental consent for these matters as well. Generally, for all other conditions, we have to make attempts to get the parent on the phone for verbal consent witnessed by two individuals.

What do we do?

As healthcare providers, we really do try and facilitate open dialogue between the parent and child. We’ll sit with the 14 y/o daughter privately and go over why it would be best for her to share this information, regardless of the results, with an adult.

Can you think of other healthcare situations involving minors that could be high areas of conflict?

Author Beware: The Law– HIPAA (Part 1/3)

Several months ago, I was watching a local TV news station when a nurse manager was being interviewed about the fact that you could look up ER wait times on the Internet before checking in. That’s a whole other can of worms I won’t get into today but the problem with her interview was that the camera shot included her standing next to their patient tracking board in which you could clearly see the last name of the patient, their age, and their medical complaint.

Stock Photo by Sean Locke
http://www.digitalplanetdesign.com

I almost fell out of my chair. This was a clear HIPAA violation and that ER manager should have known better than to be standing anywhere near that board.

Each time you visit the doctor’s office or sign into the urgent care or emergency department for treatment, you should be given a paper that outlines your rights under HIPAA which stands for the Health Insurance Portability and Accountability Act. It basically outlines rules on how to deal with a patient’s “protected health information” or PHI.

What this boils down to for the bedside clinical worker falls into a couple of areas and I’ll give some examples below.

1. I should be providing direct care to a patient or should have provided recent care in order to look up their chart. Some of you may remember the healthcare workers that were fired for accessing Brittney Spears medical information. They were likely fired under this provision.

2. I can’t share any specific information (name–never, age, and complaint) listed together in areas where other’s could become aware of the patient’s visit. This would include areas like social media (a big no-no). When cases are presented at medical conferences, generally all patient information is blacked out (say on x-rays). And the patient is only spoken of in general terms. Such as: 16y/o presented to the ER for evaluation of neck pain. Now, across the USA for one day, probably several patients presented with this complaint so how do you know which one it was?

3. I shouldn’t be sharing patient information with my spouse unless he has provided direct care to the patient as well. Therefore, since my husband is an accountant, I can’t say— “Oh, by the way our neighbor’s daughter was seen for a broken arm today in the ER.” Unless I’ve asked the mother specifically if it’s all right that I mention this to my husband, I have violated that patient’s rights by sharing that information with my spouse. Working in pediatrics, I’ve been in the situation often and don’t mention the visit at all when home.

4. Requests for information about a patient from the media generally go through the public relation’s office. This tends to happen more off hours, a reporter will get through to the ER desk and begin to ask questions. Most, if not all hospitals, are very firm that all media inquiries go through public relations. This allows them to control the message.

5. Patient information cannot be given over the phone unless specified by permission. This is why, when you fill out those HIPAA forms at your doctor’s office, they generally ask who they can talk to and what kind of information they can share. Perhaps you don’t want your husband to know why you were at the OB’s office. A caveat to this is giving information to your personal physician who is following up on your ER complaint. We will generally give specifics for this because they are providing your follow-up care.

Next post I’ll talk specifically about HIPAA and minors.