[ Monday, June 18, 2012 ]
Utah Data Breach -- Ancillary actions:
Here's an interesting twist on the huge Utah state Medicaid system data breach. As you may know, the Utah Medicaid program's
computer database was hacked, apparently to steal social security numbers and other information for identiy theft purposes. One victim, a professor
at the University of Utah, discovered that her name was one that was hacked. But that was curious, because she's not a Medicaid recipient. It seems that one of her providers may have queried the Medicaid system to see if she was a potential recipient. The question: did that provider have permission to do so? Assuming the provider knew she had insurance, would disclosing her name to the Medicaid program be an allowed disclosure for payment purposes, or would an authorization be needed? Wouldn't the provider's NoPP need to state that such a disclosure would be made (or at least have a broad enough description of "payment" to include such an inquiry)?
Jeff [12:20 PM]
Blogger: HIPAA Blog - Edit your Template