[ Friday, December 10, 2004 ]
Shades of UC San Francisco's Pakistani transcriptionist problem:
UC Davis Medical Center has a vendor that helps the hospital and its physicians harness the Internet, so that patients can use the Internet to schedule appointments, refill prescriptions, and similar activities. As often happens with customer-service companies, the vendor set up a survey and asked patients using the Internet portal to fill out the survey, so that Cal Davis could improve their services. All well and good, no?
Well, according to this article
, like many internet surveys, the survey allowed anyone completing it to see how other survey respondents answered the questions. I don't know if it was individual or amalgamated responses. But unfortunately, that effectively eliminated the privacy of any survey responder.
The vendor wasn't a direct business associate of UCDMC; the survey was voluntary and information was only gathered from patients who chose to fill out the survey; and the survey wasn't done at UCDMC's request; so there's no apparent HIPAA violation. But this does point out the potential problem of second, third, or -nth tier parties coming into access with PHI and disclosing (or threatening to disclose) it.
Jeff [3:43 PM]
Blogger: HIPAA Blog - Edit your Template