MUSCMedical LinksCharleston LinksArchivesMedical EducatorSpeakers BureauSeminars and EventsResearch StudiesResearch GrantsCatalyst PDF FileCommunity HappeningsCampus News

Return to Main Menu

HIPAA privacy rule recounts lessons learned

by Mike Wheeler
University Privacy Officer
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule was implemented in April 2003. 

This privacy rule provides a federal law to protect privacy and confidentiality by preventing a release of an individual’s private health information. An overview of the few problem areas identified during the last six months will help prevent future occurrences of these same problems. 

1) Improper release/disclosure of medical records via e-mail. A provider e-mailed several colleagues to inform them a patient was exhibiting “drug seeking behavior.” This e-mail contained patient identifiable Protected Health Information (Protected Health Information can be defined as patient identifiable health or financial information such as medical and billing/payment records).

2) Improper release/disclosure of medical records. A traveling nurse released/disclosed Protected Health Information concerning an MUSC patient to the traveling nurse’s employer for reasons other than treatment, payment, or health care operations. At MUSC’s request, the protected health information was returned.

3) Accessing fellow employee’s medical records.  A medical record can only be accessed for treatment, payment, or health care operations purposes. Accessing a medical record for the reason that you are concerned about the health status of a fellow employee or to find an inpatient employee’s room number is not acceptable. 

4) Reviewing medical records without proper approval/authorization. A student accessed a medical record for reasons other than treatment, payment, or healthcare operations. Prior to entering a medical record for “educational purposes,” a student must seek and obtain proper approval.

5) Research subjects not completing a HIPAA Release of Information form. Subjects enrolled in this research study were not requested to sign a Release of Information form (commonly called a HIPAA Authorization) prior to the conduct of study procedures. 

6) Discussing medical conditions in areas accessible to other patients. MUSC discourages discussing health information in waiting rooms or clinical areas with other patients present. However, at times these discussions must take place. When discussing health information in a waiting room or areas where other patients are able to hear your conversation, speak softly. 

7) Leaving medical records unattended. A medical record was found unattended in a hallway of a clinic. If you remove a medical record from a storage area, you are responsible for the security of the record.  In addition, Protected Health Information was found in an unattended printer located in a student study area. 

8) Billing information sent to incorrect address. A software error resulted in billing/payment information sent to addresses of other patients. In addition, an employee inadvertently sent billing/payment information to the address of another patient. 

9) Business associates improperly releasing/disclosing medical records. One employee of a business associate removed a medical record from the business associate’s premises (a storage site) so the medical information could be used in a child custody hearing.

10) Improperly releasing medical records to a foster parent. Foster parents need only access to the minimum amount of Protected Health Information to provide care for their foster child and do not have a right to access the foster child’s complete medical record. 

11) Protected Health Information found in recycle bins. Protected Health Information must be shredded or placed in “To Be Shredded” bins.  Patient identifiable Protected Health Information must not be placed in recycle bins. 

12) Computer terminal logged in and unattended. Remember to log out of any computerized patient record system (for example, OACIS) prior to leaving the computer terminal unattended. 

13) Loss of medical records. A disestablished clinic’s medical records were discarded when the clinic was incorporated into another department. 

14) Incorrect patient’s medical record sent to law firm. In response to a subpoena, an incorrect patient’s record was sent to a law firm. At MUSC’s request, the law firm returned the record. 

15) Improperly releasing/disclosing research related Protected Health Information.  A research coordinator improperly released/disclosed a list of subjects enrolled in a research study. 

As you can determine, most of these problems were caused by lack of attention and/or lack of understanding the requirements specified in the HIPAA Privacy Rule. You do not need to be a privacy expert, but please give special consideration to the need of maintaining our patients’ privacy. 

Ultimately, the responsibility for maintaining our patients’ right to privacy falls upon each individual employee working with Protected Health Information. 

If you have any questions or concerns, contact one of the MUSC Organized Health Care Arrangement Privacy Officers. 
 

Friday, July 9, 2004
Catalyst Online is published weekly, updated as needed and improved from time to time by the MUSC Office of Public Relations for the faculty, employees and students of the Medical University of South Carolina. Catalyst Online editor, Kim Draughn, can be reached at 792-4107 or by email, catalyst@musc.edu. Editorial copy can be submitted to Catalyst Online and to The Catalyst in print by fax, 792-6723, or by email to petersnd@musc.edu or catalyst@musc.edu. To place an ad in The Catalyst hardcopy, call Community Press at 849-1778.