I worked in an internal medicine when the healthcare patient privacy laws went into effect. We had a training seminar and I even requested a special meeting with one of our corporate officers to clarify things for my specific office. I thought I had the laws down pretty good, then I started this new job a few months ago.
In this office, dermatology, the rule is that if a person is in the room with a patient, that’s implied consent to give that person the patient’s medical info. Or the doctor or assistant could just write on the front of the chart “Ok to give info to ____”. Or the patient can just give consent over the phone.
Today I balked at giving info to the mother of an 18-year-old. There was a stir, I was chastised. Did I miss all this within the seminar and meeting last year? I was taught that it had to be in writing, on a form, in front of a an employee of the office or, if signed outside of the office, witnessed by a notary.
If I’m right, I will stick to my guns and fight ignorance. If I’m wrong, I’ll have to seriously question my intelligence to not have gleaned this information earlier and to have been wrong this whole time.
Also, my office manager is under the impression that individual offices have the ability to set their own “policy” about privacy standards.
So, what’s up with this?
Individual offices can have their own policies, however, they can not conflict with HIPAA rules. You absolutely did the right thing. If there wasn’t a consent form signed by the patient saying that info could be given to her mother, had you given the info your boss could be looking at a law suit.
Yeah. I just *know that I’m right. After all, I was the Privacy Officer at my old job, AKA “HIPPA Queen”. I can see this is going to be a big bone of contention. After all, I *AM a trublmakr, which means I have no qualms about making a scene in order to right a wrong. I can’t even fathom that because someone was once in the room with a patient, they’re entitled to his protected information.
I WILL get to the bottom of this.
My advice in this situation, though, is to get out of troublemaker mode, and into ‘But I didn’t want to expose you to a lawsuit, wasn’t that being a good employee?’ mode.
They’ll like you a lot better if you concentrate on how you were protecting the office in being cautious, rather than concentrating on proving them wrong.
Just MHO, from another often troublemaker.
The rules for the release of PHI are complex. I am not an expert on whether an actual signed form is necessary or whether implied permission can be given. I can tell you, however, that it is possible that your original place of employment was interpretting the laws much more stringently than your new employer, so as to avoid any hint of a law suit. Your new employer, on the other hand, may be interpretting the law as written in a manner which may invite a law suit, but which, in the end, would likely be defensible under the statute.
Please also remember that as written, there is no private right to enforce HIPAA. Only Secretary of Health and Human Services can enforce HIPAA. HHS is a big department with a limited budget. Therefore, the odds of enforcement action being taken with respect to the possible violations you describe are currently rather minimal.
Finally, I understand that you are a troublemaker, but be careful. Zealous enforcement of HIPAA is not necessarily protected under employment statutes and you can be replaced if you make too many waves–and you will likely have no redress in court.
[disclaimer] IANAL [/disclaimer]
As I read the statutes, your employer is covered as long as their statement of privacy practices provided to the patients states their ‘implied consent’ rule. There is a range of permitted privacy policies; within that range, the crucial thing is that the service provider properly informs all of their patients of the policy & follows it.
Ah, thanks, SCSimmons. That makes sense. Yes, I’ve been known to stir up some shit in the name of conscientiousness, but I’ve matured to the point where I know how to do it tactfully and not make (too much of) an ass of myself.
Maybe my old employer WAS more strict because they’re a large corporation with 600 employees, while new job has around 30.
I’m going to call the number HHS has set up for questions, I just found that during another search.