[ Wednesday, October 27, 2004 ]


Radiologists and HIPAA: Physical layout issues. I have a lot of radiologists for clients, and I never cease to be amazed by their reading rooms. Whenever you go into one, there's always "digital wallpaper" of MRI or CT image slices on the monitors, in many instances with patient identifying information on the screen. I've always thought that these rooms represented the prototypical high risk/low risk of an improper disclosure of PHI: it's easy to see the information and the name, but almost impossible for the information to mean anything (to most untrained viewers, such as myself, the images might just as well be satellite weather maps).

Since the effective date of HIPAA, most radiologists have become more conscious about not leaving images on the view screens where they're easily seen. They are particularly good at taking down films and/or turning off viewboxes. However, particularly where multi-slice MRI images are involved, radiologists tend to leave the "digital wallpaper" up. Here's a recent article on steps radiologists and radiology departments can take to help secure the images from potentially prying eyes.

Jeff [10:14 AM]

[ Tuesday, October 26, 2004 ]


"There's too much privacy, and it's making it hard on everybody." That's the determination of the police in Binghamton, New York, according to this story. It's the sad, familiar tale of the sometimes unfortunate intersection of HIPAA and law enforcement. Generally, common sense will still prevail; there are many reasonable exceptions to general HIPAA privacy where law enforcement is involved. But there certainly are areas of confusion. Hospital personnel, and particularly those involved in the Emergency Department, should be well versed in the law enforcement exceptions, and hospital administrators and privacy officials should work with local law enforcement agencies to make sure everyone is on the same page with what is allowed and what is not.

One important HIPAA feature to keep in mind: HIPAA generally allows disclosures that are required by state law, but preempts state laws that are less protective of privacy. That is an unavoidable inconsistency, and it impacts the law enforcement/healthcare relationship more than any other.

Jeff [10:45 AM]

[ Monday, October 25, 2004 ]


Electronic Health Records. The Markle Foundation's "Connecting for Health" workgroup has published a report on the adoption of electronic medical records and other technologies that encourage the easy exchange of health information, and they've determined that financial incentives will likely be necessary to convince providers to adopt new technologies. They might be right; culturally, physicians love gadgets but hate change, so they aren't leaders in adopting new technologies. You can review the report here.

Jeff [11:14 AM]

[ Wednesday, October 20, 2004 ]


Ask the HIPAAcrat: Michael from Coral Gables asks: "When a hospital submits a cost report and they certify that they are in compliance with "laws and regulations regarding the provision of health care services" are they certifying that they comply with HIPAA? In addition, would a violation of HIPAA reduce or limit Medicare payments?"

My assumption regarding the language Michael quotes has always been that it is an attempt by the government to get a "Mother Hubbard" type of general affirmation that the hospital has complied with all laws. It's sort of like being sworn to tell not just the truth, but the whole truth and nothing but the truth. So help you God. I've never heard of any hospital being sanctioned specifically for violating that certification, since they're usually sanctioned for the actual violation of the law or regulations that makes the certification false, but I guess it could make a false claims action easier (since part of the claim is the certification, and if the certification is false the claim is false).

I think the certification is supposed to be all-encompassing, so HIPAA would be included in the certification. That said, I don't think a HIPAA violation in itself would likely be used to reduce or limit Medicare payments, for a couple of reasons. First, HIPAA has its own sanctions, which (if the violation is egregious) can be substantial. Secondly, payment refusal usually happens in a false claim action, and given the "reasonableness" and "scalability" attributes of HIPAA, it wouldn't make that convincing a claim to incorporate into a false claims action, certainly not as convincing as a Stark violation (where there isn't even a scienter requirement) or a Fraud and Abuse violation. HIPAA is still new, and it's amorphous, both of which make it a suboptimal candidate for the government to use for reducing or denying a Medicare payment.

Not to say that it couldn't happen. But I think the violation would have to be egregious, and/or the government would have to think that it wouldn't be able to levy or collect the fines specifically included in HIPAA for HIPAA violations, for the violation to result in payment denial.

Jeff [1:56 PM]

[ Tuesday, October 19, 2004 ]


More Thoughts on Rush's Medical Records: I meant to post this below, but once Rush's medical record decision was out (basically saying the police could get medical records without an individual's prior knowledge or consent if they had a proper subpoena or search warrant), there was a small flurry of banter on the American Health Lawyers Association's listserv for Health Information Technology (sometimes known as the "HIT list") about a New York case involving parties attempting to get access to medical records. In that case, Keshecki v. St. Vincent's, the defendants wanted to use medical opinion testimony from a couple of the plaintiff's other doctors. The defendants' lawyers apparently spoke with the doctors about the patient without the patient having given consent and in an informal setting (i.e., not a deposition where the plaintiff and her lawyer were present, sometimes called an "ex parte" communication). The court said that, because the other doctors had spoken with the defendant hospital and doctor about the plaintiff's medical records without getting a release or authorization from the plaintiff, the information the defendants got was basically "fruit of the poisoned tree," and could not be used by the defendant. Basically, the court said that the non-party doctors owed the plaintiff confidentiality, which was breached when the non-party doctors talked to the defendant doctor and hospital, but rather than giving the plaintiff the right to go after the non-party doctors, the court determined that the plaintiff could exclude the evidence the non-party doctors had to offer.

When a defense lawyer is trying to find out how to defend a malpractice case, he ought to be able to find out the medical records and condition of the plaintiff to make sure the damage was really caused by the defendant. And when the plaintiff has made a medical condition a part of the claim, the plaintiff really has given up the right to keep the defendant from investigating the condition and the claim. However, when you're the defense counsel, you don't necessarily want to get all of the information on the record until you can determine what helps you and what hurts you; that's the old adage of never asking a question if you don't know what the answer is.

The court here determined that, at least in New York, "HIPAA and its regulations have changed the rules regarding ex-parte communications with a plaintiff's treating health care providers," and HIPAA preempted any New York law allowing it. The court also determined that the defense counsel fooled the non-party doctors into thinking they had to release the information and talk to the defense counsel under their subpoena power.

There are a few cases in other jurisdictions imposing similar restrictions on the use of medical information wrongly obtained (or obtained without authorization): Law v Zuckerman, (US Dist. Md., 2004), 2004 U.S. Dist. Lexis 3755 (Maryland law allowing ex parte communications preempted by HIPAA; authorization now required; citing unpublished New Jersey case In Re PPA Litigation, September 23, 2003 (2003 WL 22203734 (N.J. Super L., 2003) as support); Crenshaw v MONY Life Ins. Co., (US, So. Dist Cal., 2004), 2004 U.S. Dist. Lexis 9882 (ex party discussions between defense counsel and plaintiff's physician, and use of physician as expert witness, allowed by California law but preempted by HIPAA; testimony not stricken, but sanctions applied); and Lillebo v. Zimmer, Inc., Civil No. 03-2919 (Jrt/Fln), Civil No.
03-2920 (Jrt/Fln), 2004 U.S. Dist. Lexis 18454 (USDC, Minn) (Minnesota law prohibits ex party contacts).

Ultimately, the lesson here is that whenever medical information is being disclosed, the party attempting to make the disclosure MUST make sure that HIPAA will allow the disclosure. However, remember that there are a handful of ways to get PHI in litigation or in governmental action, and there's always the route of getting the patient's authorization. If you have questions, check out Section 164.512 of the Privacy Rule, and walk through it to see if your situation is specifically addressed (of course, make sure you check out the definitions in 160.103 and 164.501, and don't just assume the words mean what you think they mean).

Hat tips to Alan Goldberg, Ed Shay, and John Cody for the cases and analysis.

Jeff [2:15 PM]


Tips for Complying with Requests for Confidential Communications: HIPAA requires covered entities to accomodate reasonable requests from patients that their information be communicated to them in alternative confidential means. For example, a patient has a right to request that her physician not call her house with information, but only contact her at her office address and phone number. It can be tricky complying with these requests, and some covered entities approach them my adopting a blanket policy of refusing any such request as "unreasonable." That's improper under HIPAA; you can do that with requests for restrictions on uses otherwise allowed and described in your Notice of Privacy Practices, but you must grant reasonable requests for alternative communications. So how do you deal with those requests, and once they've been made and you've determined that they are reasonable, how do you make sure everyone in your operations complies?

From Medical Newswire's e-mail service come four great tips for keeping your promises: First, start at registration by asking the patient where she would like her medical communications to go. While you may be opening a can of worms letting the patients know off the bat that they can request alternative means of communication, you can also built into your system the quick determination of the default address/phone number for communicating with them. Secondly, get the request for alternative communication in writing. This can be done in the registration process. It will give your staff some place to look to find out if there's a communication issue, and it will protect you if the patient later claims that an alternative communication request was made. Thirdly, designate a point person to be in charge of making sure requests are documented. Finally, don't separate the patient from the request. If the request is only in the medical record and some of your staff never looks at the medical record, they may never know of the request. If your reception staff only looks at patient contact information, make sure the request is noted there as well as in the medical record.

That's some good advice.

Jeff [10:09 AM]


Interesting Security Rule Article: Here's an interesting article in the Business First of Columbus newspaper on HIPAA security rule implementation. Not a whole lot of news, but probably the best one-sentence description of the basic implication of Security Rule I've ever seen: "The [healthcare] organization can combine policy and technology to implement the security rule effectively by balancing these goals with the risk, utility and expense of information security." Of course, what was most interesting about finding this article is that I saw the headline on HealthLeaders, and HIPAA was spelled HIPPA.

Jeff [9:56 AM]

[ Friday, October 15, 2004 ]


Health Information Technology in the news: Recent days have seen the publishing of a couple of stories I should have noted earlier. First, from the Washington Post: theFDA has approved technology that would allow individuals to have a microchip implanted under their skin. The microchip wouldn't contain the medical records of the patient, but would serve as an identifier that would link the person to their medical records, which would be stored electronically and be retrievable by anyone who had access to the chip's information. The technology has been in use for some years in the pet industry, where owners have a chip planted in Fido so that if he is lost, he can be returned to the rightful owner. The benefit of this technology would occur if you were injured and unconscious and taken to an emergency room that was equipped to read the chip. Your body would be scanned, the chip would identify you, and the ER doctors would be able to determine your identity and search your medical records to detect any drug allergies or medical conditions that might impact your care. The downside of the technology is pretty apparent: someone with access to a chip reader and the medical records could discover your medical history without you ever knowing it.

The second related article, from the Arizona Republic, involves on-line electronic medical records, so that an individual and his doctors can easily access his or her medical information. The patient could check lab results on line without bothering the doctor's staff (or after-hours), and multiple doctors seeing the same patient could easily share information. Again, the downside is the possible access by improper parties.

Of course, there's a dynamic tension between free use and disclosure of medical information (which is what you want when the release of the information can help you) and the restriction of the information (which you want when you want privacy or when the release could hurt you).

Jeff [10:26 AM]

[ Thursday, October 14, 2004 ]


HIPAA Joke: An older gentleman had an appointment to see the urologist who shared an office with several other doctors. The waiting room was filled with patients. As he approached the receptionist's desk he noticed that the receptionist was a large, unfriendly woman who looked like a Sumo wrestler. He gave her his name. In a very loud voice, the receptionist said,

All the patients in the waiting room snapped their heads around to look at the very embarrassed man. He recovered quickly, and in an equally loud voice replied, "NO, I'VE COME TO INQUIRE ABOUT A SEX CHANGE OPERATION, BUT I DON'T WANT THE SAME DOCTOR THAT DID YOURS."

Note: I didn't say "good HIPAA joke."

Hat tip: gruntdoc.

Jeff [10:43 AM]

[ Thursday, October 07, 2004 ]


Military Information and HIPAA: According to this article in the Milwaukee Journal Sentinel (short easy registration required), a new wrinkle in the unexpected consequences of HIPAA has been exposed. We've heard about the stories of family members being excluded from information on hospitalized loved ones, but the latest issue is the military's refusal to release information on wounded and injured soldiers. My favorite quote from the article: "A spokesman for U.S. Sen. Edward Kennedy (D-Mass.), one of HIPAA's chief architects, said the senator never intended the law to keep Americans from learning about casualties in important military missions like the current war on terrorism." What, unintended consequences to HIPAA? Oh, pshaw.

I found this article particularly interesting because during the initial stages of the war in Iraq, I signed up to get the Department of Defense's news e-mail service, which includes casualty reports. In fact, I just got one a few minutes ago. Here it is:

NEWS RELEASE from the United States Department of Defense
No. 1000-04
Oct 07, 2004
Media Contact: Army Public Affairs - (703) 692-2000
Public/Industry Contact: (703)428-0711
DoD Identifies Army Casualty

The Department of Defense announced today the death of a soldier who
was supporting Operation Iraqi Freedom.
Staff Sgt. James L. Pettaway Jr., 37, of Baltimore, Md., died Oct. 3 in
Brooke Army Medical Center at Fort Sam Houston, Texas, of injuries sustained in
Fallujah, Iraq, on Aug. 27 when he was involved in a motor vehicle accident.
Pettaway was assigned to the Army Reserve’s 223rd Transportation Company,
Norristown, Pa.
For further information related to this release, contact Army Public
Affairs at (703) 692-2000.

[Web Version: http://www.defenselink.mil/releases/2004/nr20041007-1360.html]
-- News Releases: http://www.defenselink.mil/releases/
-- DoD News: http://www.defenselink.mil/news/dodnews.html
-- Subscribe/Unsubscribe: http://www.defenselink.mil/news/dodnews.html#e-mail
-- Today in DoD: http://www.defenselink.mil/today/
-- U.S. Department of Defense Official Website - http://www.defenselink.mil
-- U.S. Department of Defense News About the War on Terrorism -

Actually, a closer reading of the Journal Sentinel article also shows that the general condition of the soldiers is reported, but specific information is not. Kennedy and his surrogates say the military is not providing the information to hide bad news about the war (sending e-mails like the one above doesn't look much like hiding to me). The military guys say (i) we're just following HIPAA and giving soldiers the same protection any hospital patient ought to get, (ii) Kennedy and the other lawmakers could've written the law to prevent this problem, and (iii) Kennedy's statements are just election-year politics.

Jeff [11:47 AM]


Which physicians use healthcare information technology, how, and why? It's hard to know because there's not a lot of data and research beyond anectodal evidence. But according to this study by the Center for Studying Health System Change, small practices (which in fact account for most patient-physician encounters nationwide) don't use much health IT, but physicians in large practices, particularly staff-model and group-model HMOs and faculty practices associated with academic medical centers, use it a lot. Which, coincidentally, is what the anecdotal evidence would have led me to believe. As the report notes, "size matters." Which, coincidentally, is another thing anecdotal evidence would lead me to believe.

Jeff [10:22 AM]

[ Wednesday, October 06, 2004 ]


WEDI White Paper for small providers: I should've posted this a while ago, but the Workgroup for Electronic Data Interchange has published a white paper for small practices to use in implementing HIPAA security rule requirements. Check it out.

Jeff [4:36 PM]


Rush Limbaugh's Medical Records: Not Private. You've no doubt heard of Rush Limbaugh's prescription pain killer addition, and have probably heard that the Florida authorities are pursuing a criminal action against him for "doctor shopping": going to multiple doctors to get multiple prescriptions in excess of what one doctor would give.

The state prosecutors seized Limbaugh's medical records from his primary physician when they raided his office, armed with search warrants. Limbaugh challenged the seizure, stating that he should have had notice of the seizure and the opportunity to challenge the inclusion of all of his records in the search warrants. Limbaugh and his lawyers contend that the seizure is a "fishing expedition" by the prosecutors office, and that it violated his privacy rights under HIPAA and Florida law. The ACLU even weighed in on Limbaugh's side. The State Attorney on the case (conveniently, a Democrat) contended that privacy rights do not impact the ability of the state to conduct criminal investigations using proper subpoenas and search warrants, and giving a criminal target prior notice that the records will be searched would severely hinder any investigation.

The 4th District Court in Florida ruled that, "the state's authority to seize such records by a validly issued search warrant is not affected by any right of privacy in such records." There was a strong dissent (in part), indicating that at least the lower court should review the records to determine if a limited amount of the records could be sufficient for disclosure to prosecutors, and also to determine what types of disclosure (and, presumably, what types of protection from disclosure) would be appropriate. A copy of the ruling is here.

I think the court is correct. The trial judge should certainly entertain and strictly (really, really strictly, not "Eagle Colorado" strictly) enforce a protective order on the records, reviewing them to determine what is relevant and returning the remainder to the doctor. The judge should also make sure that the greatest possible confidentiality is given to the rest of the records, sealing them if they are not specifically relevant to the exact charge in question.

Really, just imagine what else could be in those records, and the mental images it could provoke. Do you want to know that Rush takes Viagra? Is that a visual you want sticking with you? (Of course, I can't avoid the punch line: "it only makes him taller.")

Jeff [3:38 PM]


Wow, that's pretty cool. I'll have to try this more often.

Jeff [9:35 AM]


Testing my photo-blogging: The wife by the fire in the parlor of stately HIPAA Manor Posted by Hello

Jeff [9:35 AM]


Test post: It looks like Blogger's relatively-new template will let me post pictures. I'm going to test that theory now:

Jeff [9:16 AM]


PDMA Redux: You've probably never heard of the Prescription Drug Marketing Act of 1987. It was intended to stop drug diversion, which is the resale of drugs by hospitals and other entities that can buy them cheaply or in bulk. The law basically requires that hospitals and nonprofits that buy prescription drugs cannot resell the drugs except to the end user pursuant to a prescription, to entities (other than retail pharmacies) under common control, to entities in a group purchasing organization, or in emergency situations. The stated reason for the law was to protect the drug supply, since multiple resales could conceivably allow counterfeit or tampered drugs to enter the market. The real reason was that hospitals and other big purchasers could buy the drugs on the cheap, resell them at a price lower than the price retail pharmacies charged, and still make a profit at the expense of retail pharmacies. The retail pharmacies got their lobbyists to push the bill and get it passed. I became a bit of an expert in the PDMA back in the late '80s and early '90s.

So my curiousity was piqued when I saw that House had passed new legislation designed to prevent the "illegal diversion and misuse of prescription drugs." The bill would require the States to set up programs to monitor diversion and misuse of prescription drugs. I am not sure what they were going after, but I suspect it has to do with Canadian importation.

What does this have to do with HIPAA? I'm so glad you asked. One of the major concerns about the bill is its impact on patient privacy. States would have to submit their monitoring programs to HHS, which would vet them. The States would have to indicate how their programs would protect patient privacy. The bill specifically would apply HIPAA to the programs, except when pharmacies are transferring information to state-established databases. Some wanted HIPAA to apply to all parts of the programs, but that would make them harder to establish.

This bill must go to the Senate's ridiculously-acronymed Health, Education, Labor and Pensions Committee before it can get to the President's desk, and they are likely to push for more privacy protections.

UPDATE: Thanks to HIPAAlert from Phoenix Health, I've learned a little more about this bill. The underlying point of the bill is to provide federal funding to states that will allow them to set up prescription drug monitoring systems, so the states can track prescription drug use and attempt to stop the illegal use of prescription drugs. To get funding, the program would have to require pharmacists to report prescriptions of certain drugs, presumably oxycontin and similar narcotic/pain drugs (see Rush Limbaugh story, above). That information could be shared with other states, and be used by the state program to ferret out individuals who are seeking multiple prescriptions of these types of drugs. The whole effort makes a lot more sense, once you know this background.

Jeff [8:51 AM]

[ Tuesday, October 05, 2004 ]


Politically correct idiocy: Speaking of fixing a problem that didn't exist, NY just passed a law requiring hospitals, nursing homes, and other providers to grant visitation rights to same-sex partners of patients who can't give consent. OK, how does a hospital determine whether the proposed visitor is a same-sex partner? NY law does not allow gay couples to marry. Does current law require hospitals and nursing homes to allow visitation by spouses of patients unable to consent, and if so, what if the proposed visitor is the husband who beat his wife into a coma? I have often visited friends, same sex and opposite, who were in the hospital, and I wasn't married to any of them. Nobody prevented me from visiting them, nor would they. I suppose a hospital "could" prevent a same-sex partner from visiting, but I also assume a hospital "could" (and I hope "would") prevent a spouse from visiting, especially if there was a good reason.

Is New York such a gay-unfriendly state that there was a problem here that needed fixing?

UPDATE: the law does state how you could go about proving you are a "domestic partner" (shared insurance or employment benefits, or joint bank accounts). And apparently it does apply to both same-sex and opposite-sex couples. But still, the New York State Patients' Bill of Rights gives every adult patient the right to decide who should visit him or her, so it only applies if the patient is unable to exercise the right to decide. And the article has not a single example of a gay partner being refused visitation in such circumstances. This being the New York Times, if there were examples, they'd be in there (along with the gratuitous slur of the President, natch). And what about domestic partners who each have their own insurance and bank accounts but are just as much a "couple" as those who are financially tied together? I guess they could be denied visitation rights (as if that ever actually happened).

Jeff [9:58 AM]

[ Monday, October 04, 2004 ]


Nobel connections in Dallas: A few years ago I was having lunch with Leah Hurley, general counsel (OK, officially "vice president for legal affairs") of The University of Texas Southwestern Medical Center at Dallas, and we ate at the cafeteria at the Medical School. As you enter the cafeteria, you see a great deal of the paraphernalia of the multiple Nobel Prize in Medicine winners associated with the medical school.

Well, there's a new Nobel prize winner in medicine, again with a UTSW connection: Linda B. Buck, who earned her Ph.D. at UTSW, has just won the Nobel Prize in Medicine with another scientist for their research into how the brain processes information related to smell. [Insert your own joke here.]

Jeff [11:51 PM]


Local med-blogger: There's a whole blog subgenre of medical bloggers, but one that I just discovered is actually located nearby, just over in Ft. Worth. He's a former Marine (there are no "ex-Marines; once in the Corps, always in the Corps) and an ER doc with his own blog. Check him out, and particularly check out his links for other medbloggers.

Jeff [11:39 PM]


GAO Reports on the First Year Experience: Of course, Privacy "went live" way back in April 2003. How have things gone for providers, plans and clearinghouses? For the most part, according to the GAO (Government Accountability Office, not, as I always thought, General Accounting Office), fairly smoothly. There is some confusion and challenges abound (accounting for disclosures and business associate issues are highlighted), and the general public is ill-informed of the requirements and benefits, and governmental organizations face some specific problems. Anecdotal evidence shows some over-implementation of the rules resulting in family members being excluded from access to information on loved ones, and research organizations have their own troubles as well. But overall, the implementation of HIPAA has gone fairly well.

Personally, I think this is because the medical community has always been quite good at keeping private what is supposed to stay private. HIPAA was, in large part, drafted to fix a problem that existed primarily in the minds of the paranoid and over-reactionary. Were evil drug companies and marketing firms using personal medical information for nefarious (or at least profit-driven) purposes? Sure, it happened occasionally. But the vast, vast majority (well over the Ivory Soap threshold of 99.44%) of individuals and entities that had access to personal medical information maintained the privacy and confidentiality of that information at least as well as HIPAA now mandates. It's easy to fix a problem if it doesn't really exist in the first place.

Jeff [3:11 PM]


Law Blogging: Always nice to get to write your own press.

Jeff [3:11 PM]

[ Friday, October 01, 2004 ]


A Fabulous Resource: Sorry for the light blogging of late, but I've had paying clients to take care of. But I do have a great tip for you: the American Health Information Management Association's website is a fabulous resource for all things HIPAA: forms, articles, policies and procedures, etc. Click on "body of knowledge" in the upper right corner of the main page, and you can brouse hundreds of articles and forms useful for just about any HIPAA circumstance. Check out their security "toolbox" articles under the "professional tools" link on the left.

Jeff [9:58 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template