A local hospital was closing a pulmonary rehab program due to inability to make money. Some of the patients were with instructors up to 8 years. Total patient care of approx 50 was over 210 years. The hospital offered a solution at another hospital and they didn’t like it. The patients asked for a solution. The team came up with a solution at a local gym and offered it as a solution. The patients loved it and close to 40 are following them to the new business. The hospital has fired the team 9 days in advance of closing accusing solicitation and HIPPA. The team admits to solicitation but doesn’t understand how there could be a HIPPA violation if they handed out fliers. A handful of fliers were mailed using phonebook information. HIPAA speaks to the fliers as allowed marketing material. It also says mailing info to the same individual is not a violation. What say you?
Without knowing more about this issue, it seems there could be a violation as the patient has a relationship with the hospital, which has the responsibility of protecting, and keeping confidential, the patient’s information. There are procedures which, when followed, allow a patient to be contacted. Your colleagues may have flouted those procedures thereby causing a potential liability to the hospital. Also, you may have a problem if the patient list was provided to the entity that mailed the flyers if that entity is not a covered entity.
Also, it’s HIPAA, not HIPPA.
Please reread your post. The sentence explaining why the hospital fired them makes no sense.
It is not a HIPAA violation. From here:
I know very little about HIPAA, but is the problem that the marketing materials came from a 3rd party? It was not the hospital sending marketing materials to their patients, right? - it sounds like it was a new business entity that did so; presumably the team did not have permission to disclose their patients names to the new business as potential clients.
The problem is that they didn’t send new fliers to everyone on the area. They only sent fliers to the client list. Knowing that someone is a client of a healthcare provider is protected info. To selectively target a client list, you need the permission of the healthcare provider.
Anybody got an English translation of this sentence?
Is this homework?
There were roughly 50 patients. If you look at their tenure in the program, it adds to 210 years. I was trying to put context on what the hospital was walking away from.
The “team” of people providing care were 2 Registered Respiratory Therapists (RRT). The patients asked them to find a solution other than what the hospital provided (go to another hospital). These 2 associates (RRT) under the covered entity passed out letters describing a solution that would take place after the hospital closed the program. The hospital fired them for solicitation after they found out about the letter. But, they are insinuating a HIPAA violation. We don’t see it based on our research. We still think the marketing material angle fits.
The therapists have access to the medical records for the purposes of providing medical services. They were not authorized to use the information for the purposes of marketing the services of their newly formed company.
Information that is provided to an external entity (the proposed ‘solution’ company) must be provided under specific conditions that include maintaining confidentiality of the information and limiting the use of the information.
The therapists admitted solicitation for a new company (I don’t know why you call it a ‘solution’?). That company probably doesn’t quite exist yet; probably does not have the required licenses and certificates; probably has not been audited for JACO or HIPAA; and has no patient care history (good or bad).
The hospital would be negligent to recommend such a company to their patients. BUT, had the HOSPITAL provided the brochures and recommendations, that would not be a HIPAA violation.
As described, it sounds like the therapists violated their employment contract with the hospital in using the patient information for an unauthorized use (solicitation for their new company) and may have exposed the hospital to charges of violation of HIPAA in that the patient’s information has been used by an external entity (the new company) for the purposes of marketing but that company does not meet HIPAA standards (e.g. has not passed a HIPAA audit).
If I understand you correctly, the gym would be the therapists’ new employer. I believe that is the problem. It would be one thing if the hospital, after deciding to close down the program sent the clients information about an alternative provider. These therapists were apparently not acting on behalf of the hospital, though. They were acting on behalf of the gym,and the hospital’s position appears to be that therapists had no right to take information that was acquired by the hospital for treatment purposes and pass it on to the gym- and it doesn’t matter that the therapists were the same people. To use a somewhat different example, if I go to a hospital for treatment, that doesn’t mean that every nurse, therapist, clerk and doctor employed by the hospital can now provide my medical information to their next employer.
The Patients asked for this solution
They are not providing a health care solution but wellness training
No Medicare patients - only those who personal pay
This is like a normal gym membership but with close personal guideance
The 2 RRT are now an LLC and renting gym space
The RRT did not use hospital information
They handed out a flier/letter (HIPAA claims face to face communication okay)
I think this is the key. I am certainly no expert on HIPAA matters, but the very fact that someone is a patient–heck, the fact that they have certain health coverage, even if they’ve never used it–is protected, confidential information that cannot be disclosed or used in certain ways. Seems to me someone here did exactly that no-no: used their insider’s access to confidential data to develop a marketing strategy on behalf of a third party, make a mailing list, etc.
Doesn’t even sound borderline. Where I work, I believe it would be a no-brainer, a “you’re out on your ass” decision rendered post haste. HIPAA violations are serious shit.
The patients asked an EMPLOYEE OF THE HOPSITAL for a solution. The RRTs were acting as EMPLOYEES of the HOSPITAL and should have been limited to companies that the HOSPITAL recommended. The employees went out on their own, created a new company, then started abusing their position in the hospital to make it appear that hospital employees were recommending the newly created company. That was wrong on a whole lot of levels.
HIPAA does not permit marketing of any kind… not for diapers… not for vitamins… not for fuzzy pink teddy bears… unless the patient’s information has been released in accordance with HIPAA regulations. Clearly, that was not the case here - the RRTs simply took the patient information and used it without any permission at all.
I understand why the Medicare reference (from JACO), but HIPAA doesn’t make any distinction about who has a right to privacy. All healthcare patients have a right to privacy (and other things listed in HIPAA). I was using JACO as an example of things that can be expected of an established healthcare provider who a hospital might feel comfortable recommending.
But now, you make it sound like this would be closer to an aerobics instructor than a heathcare provider… see marketing above.
Exactly. They have formed an independent company and that company has used patient information taken from the hospital (against hospital policy) to solicit new customers.
If the people targeted by the solicitation became known to the RRTs as a result of their employment with the hospital, then yes, the RRTs used hospital information.
Depending on the state this is in, the hospital could also bring criminal charges and/or civil charges. The hospital could also ask a judge to block the new company from providing services to the hospital’s prior patients.
The RRTs were acting as employees of the hospital and governed by hospital policy. I doubt very much that they would have been permitted to verbally promote an unproven company with no patient treatment record at all.
The problem is that they used their knowledge of the patients’ medical info to decide who to give fliers to. If they had put a stack of fliers in the waiting room for the collective “patients of program X”, they would be guilty of solicitation but not HIPAA violations. However, if they handed fliers to Sally Smith and Joe Jones because they knew they were patients of program X, it’s solicitation plus a HIPAA violation. The italicized part is the problem.
I agree that the end result of the table versus handing them out is the same. But your question wasn’t “is it fair”, it was “does the hospital have a case”, and the answer is yes.
If I were in administration of the hospital, I would submit a HIPAA complaint against the newly formed company as a CYA because it was also their employees who committed the violation. All it would take is just one patient to submit a complaint against the hospital. There is documented proof that the hospital is aware that it happened.
I think the fines run about $1000/incident, so that would about $50k for who ever is found guilty of the violation (either the hospital as employer or the new company).
My first lawyer said there was no violation but I’m taking this to a DC lawyer who helped write the law. I’ll let you know what he says. Its interesting that no one seems to care about the patients. We have 40 who are up in arms and ready to storm the hospital adn go to the media. The feel abandoned by the hospital an don’t understand how the hospital can feel there was a violation when they asked for it and are okay with receiving a letter. Remember, this is not electronic, paper or verbal information exchange of patient information. It was solicitation of a solution which is okay under the marketing rules (according to first lawyer and my research). They accept the firing but don’t understand where people are getting the HIPAA connection. If you could, please help me with the HIPAA code # that you think they are violating.
Think forward as well. Had they waited 9 days (until the official program closing) would they have been okay to contact patients by using phone book information?
Keep in mind that one of the instructors can recite all 50 patients by memory by remembering class time. She even knows where most live by memory due to doing billing for 8 years in addition to RRT duties…
No, it would still not be okay. They are soliciting those people based on knowledge of privileged medical information. You can’t do that without permission from the covered entity (the hospital). It doesn’t matter if the patients are okay with it. It’s not their call, it’s the hospital’s.
Again, if they had used a broader brush and simply advertised not specific to any person, they’d be fine as far as HIPAA is concerned. But targeting individuals based on your knowledge of their medical info is not allowed.
Exactly. You can’t use confidential data this way, even if there is alleged agreement from the patients. One patient decides differently, then the hospital is in the soup. Again, HIPAA rules can be complicated, but not in this regard, I don’t think. Is it confidential, HIPAA-protected information? Then you can’t use it thusly, period.
Remember, the Patients are now former patients. Can we contact them now? If not, PLEASE provide the HIPAA code # you think they are violating. I realize this is an opinion site but I need concrete information.