Is this a HIPAA violation?

[Bricker]

This thread is in the correct forum, to be sure. Lots of opinions here.

To the extent that the factual situation might interest anyone:

Motorgirl:

Is this a HIPAA violation? - or am I about to overreact?

It might not be a violation. The HIPAA regulations at 45 CFR § 160.103 define “Protected Health Information,” and that definition almost certainly covers the specific blood test information you mention. And the doctor’s office is almost certainly a “Covered Entity.” This means, again speaking in likely generalities, that the doctor’s office (“Covered Entity”) may not disclose specific blood test results (“Protected Health Information”) except under certain defined exceptions.

One such exception relates to payment. A Covered Entity can disclose information from a “…health care provider or health plan [in order] to obtain or provide reimbursement for the provision of health care…” (45 CFR § 164.501). To the extent that the named insured has any role in approving expenditures (say, for example, in the case of a jointly-shared spending cap for services) this disclosure would probably be warranted.

Honey:

You have every right to be upset about this. He might be your husband, but that is your personal medical information.

Anyone has a right to be upset about anything. But there’s a factual answer to the question, “Is this a HIPAA violation?”

usedtobe:

The reason a spouse cannot be compelled to testify against its spouse is because, legally, they are a single person, and forcing testimony would violate 5th Amendment (can’t be forced to testify against oneself).

No, not remotely accurate.

At one time, a framework of laws called coverture laws did indeed create the presumption that a married couple were one in many ways; a married woman could not, for example, own separate property and the husband would be liable for many of his wife’s actions. This is humorously highlighted in dialog from Dickens’ Oliver Twist: when Brownlow learns that Bumble has destroyed trinkets that would have shed light on Oliver’s origins, Bumble protests that was his wife and not he who disposed of the objects. Brownlow retorts that he is still the more guilty in the eyes of the law; for the law presumes that your wife acts under your direction. Bumble responds, “If the law supposes that, the law is a ass – an idiot. If that’s the eye of the law, the law is a bachelor; and the worst I wish the law is, that his eye may be opened by experience!”

However, what was true in Dickens’ time is not true today. The spousal privilege is today grounded on the public policy of preserving marital harmony as opposed to forcing a spouse to testify adversely to the interests of his or her partner. As the Supreme Court explained in Trammel v. U.S.: “The ancient foundations for so sweeping a privilege have long since disappeared. Nowhere in the common-law world - indeed in any modern society - is a woman regarded as chattel or demeaned by denial of a separate legal identity and the dignity associated with recognition as a whole human being. Chip by chip, over the years those archaic notions have been cast aside so that ‘[n]o longer is the female destined solely for the home and the rearing of the family, and only the male for the marketplace and the world of ideas.’”

[Anaamika]

That’s interesting, because I recently also got an itemized statement of my medical issues - addressed to my husband also. I just assumed it was because I was under his insurance so he had a right to know what I was getting treated for. He knows everything anyway, so it’s not like I care. I hadn’t thought of it as a HIPAA violation.

Does it make a difference that it is his insurance?

[bump]

Little_Nemo:

My understanding is that the most medical organizations have chosen to adopt much more stringent standards of confidentiality than are actually required by HIPAA. So an employee might be told that they cannot reveal any information to a patient’s spouse without the patient’s prior explicit consent. And the employee will assume this is a HIPAA policy when it’s actually a policy of their organization.

The big catch comes in when the spouse is the actual insurance subscriber; they’re on the hook for all the paperwork on THEIR policy, so they get a certain amount of insight into what’s being charged/coded to their policy.

I mean, I get bills for my wife all the time. They don’t list out the CPT or ICD codes, but they will say that it was lab tests, or physical therapy or stuff like that.

That’s not a HIPAA violation in and of itself; listing the diagnosis and treatments would be, but an itemized bill isn’t.

[Motorgirl]

bump:

That’s not a HIPAA violation in and of itself; listing the diagnosis and treatments would be, but an itemized bill isn’t.

What about specific lab tests - it’s pretty explicit what they were looking for in the blood tests.

[Mama_Zappa]

Little_Nemo:

There is one possible issue that might be relevant. My understanding is that medical staff are allowed to share medical information with your family members if you do not object to them doing so.
…

Actually I think it works the other way. They are not allowed to share UNLESS you explicitly permit it.

As it happens, most doctors’ intake paperwork includes a notation asking with whom they may share information, and the relationship. If the OP signed something at some point saying it was OK to tell the spouse, then it’s not a HIPAA violation as far as I understand it.

It was, however, stupid of them to mail it to your husband and not you.

The only egregious HIPAA violation I’ve encountered was shortly after HIPAA was passed when they were still working things out. My new doctor tested me for some stuff, and tried calling me at work to give me some results. I had left for the day. As a result, my officemate (and boss) knew I had a thyroid condition before I did :eek:. Yeah, I spoke with the doc about THAT one (and considered switching doctors; fortunately it was never repeated).

As far as why not share with the spouse: let’s say he’s an abuser and you’ve had a pregnancy test: that could spur a beating or worse. I had blood work done a few years ago to check for possible causes of RLS and neuropathy; one of the tests was, as it turned out, for syphilis (negative of course!!!). While my husband is no abuser, it could have been marriage-ending if it had come back positive and he’d opened it.

[Doug_K]

Mama_Zappa:

Actually I think it works the other way. They are not allowed to share UNLESS you explicitly permit it.

Did you read the links Little Nemo posted? HHS says otherwise.

Little_Nemo:

Health Information Privacy

“The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object.”

“As long as you do not object, your health care provider is allowed to share or discuss your health information with your family, friends, or others involved in your care or payment for your care. Your provider may ask your permission, may tell you he or she plans to discuss the information and give you an opportunity to object, or may decide, using his or her professional judgment, that you do not object.”

This also previously linked document goes even further in the column labeled “Family Member or Friend”:

Provider may disclose relevant information if, based on professional judgment, the disclosure is in the patient’s best interest.

[bump]

Motorgirl:

What about specific lab tests - it’s pretty explicit what they were looking for in the blood tests.

I’d think, but am not 100% sure that HIPAA is a little different when it comes to subscribers and dependents, like I was getting at before.

I don’t think they can report exactly what the blood tests are, except in the broadest terms, but they can report that. In other words, they can reveal that you had bloodwork done on the insurance, but they can’t say that it was a CBC or STD test or whatever, and certainly not the results.

If I had to guess though, there was probably some clause in all that HIPAA paperwork you signed that gave your spouse or your insurance subscriber access to that kind of thing. I know quite a few have clauses that read something like “We can share your information with other business partners and medical providers”. This is usually more in the lines of situations where two companies work as one from the patient’s perspective, but are actually 2 separate outfits, like say… the ER and the ER doc. Rather than fill out a separate form for the ER and the ER doc (who’s usually not an employee of the hospital), they write something like that in the paperwork so that they can share your hospital blood work with the ER doc without running afoul of HIPAA.

[HeyHomie]

In states that allow medical marijuana, there’s this weird, bizarro-world overlap of federal and state laws with regard to privacy laws because, on the one hand, federal law - viz, HIPAA - covers patient privacy, but on the other hand, does not allow medical marijuana in the first place.

To this end, MM states have created boilerplate language to afford medical marijuana patients the same level of privacy they’d be given in a regular medical practice.

Lawyers call it the HIPAA Pot Among Us Clause.

::rimshot::

(NOTE: Another Doper came up with that joke a long time ago; I’m just repeating it. I do not take credit for it.)

[Inna_Minnit]

usedtobe:

Are spouses considered one and the same person for the purposes of HIPAA?

The reason a spouse cannot be compelled to testify against its spouse is because, legally, they are a single person, and forcing testimony would violate 5th Amendment (can’t be forced to testify against oneself).

Nope. The only way this might have happened is if your husband is listed as the responsible party. Csll the lab and ask for their compliance officer.

[IvoryTowerDenizen]

HeyHomie:

In states that allow medical marijuana, there’s this weird, bizarro-world overlap of federal and state laws with regard to privacy laws because, on the one hand, federal law - viz, HIPAA - covers patient privacy, but on the other hand, does not allow medical marijuana in the first place.

To this end, MM states have created boilerplate language to afford medical marijuana patients the same level of privacy they’d be given in a regular medical practice.

Lawyers call it the HIPAA Pot Among Us Clause.

::rimshot::

(NOTE: Another Doper came up with that joke a long time ago; I’m just repeating it. I do not take credit for it.)

I may have to steal that for the next time I lecture about HIPAA. I’m not sure I can pull it off though.