Is this a HIPAA violation?

In My Humble Opinion
1

Is this a HIPAA violation? - or am I about to overreact?

We received an envelope from a lab that our doctor’s office sends blood tests to. The envelope was addressed to my husband.

It contained a bill for 3 blood tests I had done. The bill is very explicit about what I was being tested for. My name was listed at the head of the list of tests, but the bill and envelope were addressed to my husband. Nowhere on the outside of the envelope was my name, so legally I was not allowed to open it.

My husband is the insured and I am on his insurance, but I have my own insurance card with my name on it which the doctor’s office uses when treating me. As far as I can recall, all other bills I’ve gotten from all other providers have been addressed to me.

Does this qualify as a HIPAA violation? If so, who should I call to talk to about this at the lab? Do they have some kind of “HIPAA official” I should be trying to reach?

2

You have every right to be upset about this. He might be your husband, but that is your personal medical information.

See here about filing a complaint:

3

Thanks. I’m not sure how well I understand the ins and outs of HIPAA.
I will definitely be calling the lab tomorrow and want to make sure I know the facts before I open my mouth. :slight_smile:

4

Are spouses considered one and the same person for the purposes of HIPAA?

The reason a spouse cannot be compelled to testify against its spouse is because, legally, they are a single person, and forcing testimony would violate 5th Amendment (can’t be forced to testify against oneself).

5

Absolutely not.

6

I think I might have an even more interesting one. I got a bill in the mail with my ex-wife’s name on it. I see her about once a week so I just tossed in on a table and handed it to her the next time I saw her. When she stopped over a few days later to drop of my daughter I handed it to her and she opened it and on it was a charge for my daughter seeing her pediatrician as well as my ex seeing her own doctor. My daughter is covered by my insurance. My ex has her own insurance, her own address, a different last name…her own life.

The only thing that connected these two things is that the doctors practice under the same medical group (not the same office, just the same big medical group), so they share the billing.

I called the number on the bill and explained the situation. The person I spoke to simply explained that the my ex is the person financially responsible for my daughters medical bills (a holdover from being married, I assume). To which I replied that if that was the case, the bill should have gone to my ex, at her address (and I would have paid it). I further explained that there was no reason it should have come to me, period. (My ex’s name was at the top, with my address). I told them that if my ex and I weren’t on speaking terms, I would have just tossed it in the trash and moved on and again explained that if my ex was the one getting billed it should have gone to her house, not mine and if they had my address, it should have my name. In the five years since we’ve been apart, I’ve received plenty of bills (from that group) for my daughter, with my name at the top.

When I asked them to separate the two charges (send me the bill for my daughter, send my ex the bill for herself), she needed to get the OK from her supervisor and the dr’s office and even asked if I wanted to just pay my daughters portion of the bill. I told her I wasn’t okay with that, I had no interest in making a payment that had my ex’s name on it. I mean, what if they applied the payment to the wrong charge? What if my ex decided not to pay her portion? What if? What if?

To be fair, I’ve always gotten the bills for my daughter. I think it’s just that my daughter and my ex happened to go to the dr in the same month and the two bills combined. I’ll give them that it was an honest mistake, a fluke within the billing system. What was odd is that they really didn’t understand why I thought it was odd and wrong that I had in my hand a bill for my ex-wife’s gyno visit. All I was hoping for, after I explained the error was an ‘I’m sorry, that shouldn’t have happened, I’ll send out separate bills and update the system so it doesn’t happen again’. The second I called up and said ‘You sent a bill to my address for my ex-wife’s dr’s visit (and then explained the rest’, there shouldn’t have been an argument, I shouldn’t have had to convince them to fix it, I shouldn’t have had to explain to them why it was wrong.

FTR, I wasn’t yelling or angry, I was just very stern and played it off as “If I’m getting her bills, how do I know where my bills are going?”

7

There is one possible issue that might be relevant. My understanding is that medical staff are allowed to share medical information with your family members if you do not object to them doing so.

This is something of a gray area because not objecting to something is not as conclusive as approving something. But if the lab has addressed your results to your husband in the past, they can argue that you hadn’t said anything before now so they figured you didn’t mind them doing it.

That said, if you do tell them you object they are required to stop doing it from now on.

8

I work for an insurance company, and the answer is absolutely not. Without the appropriate written or verbal authorization one file a member’s spouse has exactly as much right to information as random person who called in. Ditto for adult children of elderly members, parents of disabled adults, and even parents or guardians of minor children. :smack:

Not they’re not, and I’ve torn office staff hospital personnel for presuming to do so on different occasions. They are allowed to use their own judgement if the patient is impaired, or situations like accidents, but the rule is the patient must specifically authorise who information can be shared with.

9

All of my doctors ask me to fill out a bunch of forms once a year. There is always one question about who is allowed to be told about my medical issues. If I do not state that my husband is allowed, he would not even be able to take a message from the doctor about test results or anything else. Their mail, including bills, is only addressed to me.

Personally, I think what they did is a violation.

10

No, they are not.

No, you’d need to explicity permit another person to have access to your info. Even if you did, there is no reason to make that person the primary contact person and addressee.

11

This is incorrect. Adult patients have to sign specific paperwork to allow specific, named family members access to their medical information.

ETA: I just did my annual HIPAA training!

12

Agreed, and given the number of divorced and remarried people in the world, fixing the problem should NOT require the approval of a supervisor!

13

Okay. But let me note that I didn’t just make this up. I got it from the US Department of Health and Human Services.

Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care

“A health care provider also may share information with these persons if, using professional judgment, he or she decides that the patient does not object.”

*“HIPAA does not require that a health care provider document the patient’s agreement or lack of objection.” *

Sharing Health Information with Family Members and Friends

*“However, if you don’t object, a health care provider or health plan may share relevant information with family members or friends involved in your health care or payment for your health care in certain circumstances.” *

Health Information Privacy

“The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object.”

“As long as you do not object, your health care provider is allowed to share or discuss your health information with your family, friends, or others involved in your care or payment for your care. Your provider may ask your permission, may tell you he or she plans to discuss the information and give you an opportunity to object, or may decide, using his or her professional judgment, that you do not object.”

14

I think you may be misinterpreting some things.

Her husband is not “involved in her care”. He is another adult in the house. A caregiver is involved in someone’s care, an adult child who is present at an appointment, a family member present in an emergency etc. .

“Does not object” means when asked or given the opportunity does not object. It doesn’t mean the patient has to proactively state an objection. For example, you second link clearly says " if you are present and don’t object…"

15

It’s been a long time since I worked in a place covered by HIPAA, but among all the standard privacy notices were the form to specify friends or relatives the patient wanted to be able to receive information, and a form the patient needed to sign if they did not want their spouse to be able to receive information. Both of them were copies of forms provided by HHS.

16

It is apparently not widely known, but HIPAA expressly permits a health care provider to disclose Personal Health Information (PHI) without patient consent in connection with obtaining payment. See here and click on “General Principle for Uses and Disclosures,” then look at item 2 and “Payment.” Disclosures to a named policyholder are thus often permissible even without express consent.

This shows up most often in connection with the widespread practice of sending EOBs for all covered patients to the named policyholder. See here (pdf), at the bottom of p.4 for one example. Here is a fuller discussion of the privacy issues involved, and the trade-offs that drive this exception.

There are exceptions to this exception and so forth, so it still may be worth discussing with your provider.

17

Ok, it’s been a while, and I’m tired and not up to citing sources, but as a sometime practice manager and physician’s wife, y’all ought to know this:

HIPAA was **not **intended to be a safeguard for patient privacy. Look at the name, for Pete’s sake. “Health Insurance Portability and Accountability Act.” Not “Health Insurance Privacy…Act.” The whole idea is rather counter to patient privacy. (!) It was designed to ensure that certain eligible clients (?) could maintain reasonable health insurance while switching jobs. That you couldn’t go somewhere else and lie about having leukemia. Or, that the employer wouldn’t make you go through a bunch of pre-existing tests/clauses again. Understand this–a lot of HIPAA regulations were enacted just so that you couldn’t hide a pre-existing condition, claim family members that you weren’t expressly paying for, or receive services subsidized by U.S. gov. (HHS, etc) that were not covered.)

OTOH, it was a first, and admirable, step in trying to set up a kind of universal health record–which we STILL don’t have–as anyone who has had to move and recall old dr. names, etc., to get records transferred knows. As I understood it, most of the privacy stuff was meant to protect citizens from having their employers know exactly why they missed work that week. But, as anyone who has had to deal with disability, FLA, workman’s comp, or EAP (mental health, don’t get me started on the confidentiality breaches there), privacy is a very ethereal concept.

Don’t get hung up on who sees your medical bills, is all I am saying. Please. **Prisoners **handle medical insurance claims. People in the waiting rooms hear your name called out. Your billing from the clinic might be handled by the MD’s teenaged daughter, and your MD may not know the first thing about keeping his laptop and records secure. :rolleyes: Not that I would know.

18

My understanding is that the most medical organizations have chosen to adopt much more stringent standards of confidentiality than are actually required by HIPAA. So an employee might be told that they cannot reveal any information to a patient’s spouse without the patient’s prior explicit consent. And the employee will assume this is a HIPAA policy when it’s actually a policy of their organization.

19

This, and thank you ITD for not making me tax my under-caffeinated brain for an explanation. :slight_smile:

20

Knock, knock!
Who’s there?
HIPAA.
HIPAA who?
I’m sorry, I can’t answer that.