HIPAA Violations

[HollyLynn]

Let me just begin by expressing how passionate I am on this topic and how irritated it can make me. I have my doubts as to its effectiveness at times but as it is the law of the land at the moment, I do my utmost to obey it to the full extent. That being said, here is my dilemma.

Browsing my news feed on Facebook Friday night, I saw a friend from high school had posted a photo of himself in a rather ridiculous pair of sunglasses. Fine, amusing even. What bothered me were the trays for patient orders BEHIND him. Twenty one trays with patient names were clearly viewable. His profile states exactly where he works. I promptly messaged him that this was a Hipaa violation and he might want to remove it. It is no longer viewable on his wall, but is still in his album.

At this point I'm at a loss. I don't want to slander someone but I feel it completely irresponsible to allow this image to exist. Any advice on what step to take, if any?

[opt63]

Message him again and ask him to remove it from his album. Some people don't realize that if you post a photo and delete it from the news-feed it still exists in your album. Consequently, he may have thought he deleted it even though he didn't.

If after making the additional request it's still not removed then I would notify the head of whatever office/facility he is associated with as that's likely who is responsible for monitoring day-to-day HIPPA issues at that facility.

While a name and eyglasses Rx wouldn't exactly rank high on the list of "private medical details one wouldn't want someone else to know about" the law doesn't make any distinction. A HIPPA violation is a HIPPA violation.

[Crazy-bout-Optics]

Question for you. Is it a violation? If there is a tray that says "Smith" on it, all it tells you is a person whose surname is "Smith" patronized his work. It does not say" James Smith of 1234 River Street DOB 1/11/63 with Rx of ..." etc.

I don't believe it is a violation in any way. If you think it is a violation, go into LC and look at their Hippa Log. Patients, uhm, I mean customers at LC sign a sheet that have the names and date of everyone else who has already signed it prior to them. Staff at LC are handing them this list of people who have purchased, with their full name, date, and signature on it.

If thats not a violation, then I doubt having "Smith" on a tray is a violation as well.

If anything just food for thought :)

[Barry Santini]

In NYS, i believe the ed dept determined that eyewear "formulas" do not fall under the HIPPA law

B

[cocoisland58]

If after making the additional request it's still not removed then I would notify the head of whatever office/facility he is associated with as that's likely who is responsible for monitoring day-to-day HIPPA issues at that facility .

Really? You would go so far as to turn the FB friend in to his bosses? What if he lost his job over this?

[chip anderson]

O'wuwu, I'm Tellin... Why do some people think it's thier duty to cause problems for other people. The meer fact that "It's the Law" doesn't mean it's a good thing. While I would hate to have a real "medical condition" displayed to the public, especially if it were embarissing. Laws are passed by a bunch of drunks (translation: legislators) with all sorts of motivations, many of which have to do with money and just plain control for it's own sake.
Unless the law was given to you by Moses, you have to concider it's worth. Also I think you will find that most HIPPA stuff is "regulations", not law. Appearentlly "regulations" can be put in place by beaurocrats, just because he thinks he should be doing something and it gives him power over others..

Chip

[HollyLynn]

Thanks for all the advice guys. I take certain issues very seriously and patient care is one of them. I have always felt it better to err on the side of doing right than wrong which is why I consider patient names on trays to be a violation. Others may not. There are those patients who will try to take you for all you are worth if you give even a hint of a reason, so why risk it? Even though some may not consider it to be a big deal, HIPAA can impose some pretty hefty fines. I appreciate all the responses as it helps me know how the rest of the country and other opticians feel on these issues. At this point, I'm not going to do anything further. I mentioned it to him kindly, anything else is his responsibility. Knowing what I do about this field, I would hate to be one of those patients, much less the one who owned the sunglasses he's displaying in the photo.

[chip anderson]

Names on trays don't tell anyone anything that can't be learned from a phone book. Is HIPPA going after the phone book publisher?
Will Suzie's life and privacy be violated if someone learns that Suzie wears glasses? Neup!

[Uncle Fester]

While I won't put it quite as bluntly as Chip I agree we are the bottom rung on the HIPAA enforcement ladder.

Think about it- What harm is there in knowing the eyeglass or contact Rx of someone else as opposed to knowing medications they're taking? They have bigger fish to fry imo.

Now before you mount a high horse to defend the law-- Be honest now-- Do you ever exceed the posted speed limit by even one mile an hour? Same difference.

[NeGlassesGirl27]

You have done what you wanted to do and let him know how you feel. Is it really worth wasting more time to go to the head of so and so or to contact Facebook? I do see where you're coming from but you have done what you can.

The one thing that upsets me is when I empty the trashes every night before we leave and I see schedules with names, phone numbers, etc on there or whatever it may be. I take them out of the trash and put them through the shredder. THAT is a violation..

Now before you mount a high horse to defend the law-- Be honest now-- Do you ever exceed the posted speed limit by even one mile an hour? Same difference.

What? Never! :bbg: :p

[wmcdonald]

As a person who teaches both undergraduates and graduate students about HIPAA (Health Improvement Portability and Accountability Act-not HIPPA), I can tell you that names on job trays will not be a real issue. The concept of "reasonableness" is key to the issue. Is the name on the tray going to tell anyone anything about a patient illness? No. HIPAA began when patient information was not held private and people began to lose jobs and face other personal crises when the information was released without their knowledge. AIDS was one of those "hot button" issues that predicated the development, implementation and ongoing modification of the HIPAA rules.

The picture on Facebook, while tasteless, also does not inform outside people of a patients condition, so not a real issue either. You can find a great deal of information about HIPAA by doing a simple Google search, but be prepared for information overload. There is a lot of material out there, so I am not surprised at your concern. Just remember to keep patient information reasonably secure. The definition of reason has not yet been tested in this industry, and probably far down the ladder.

[opt63]

We take the privacy of our patients/customers very seriously and would take such an incident seriously-making sure the photo was fully removed and reminding the employee of the importance if patient privacy.

Yes having it leak out that so and so bought glasses from us or leaking the details of their Rx isn't exactly the most private of information. However, ultimately it's the patients data and unless they specifically tell us otherwise it's our duty to keep it private.

Yes HIPPA rules can vary by state, but those attacking the rules and regs miss the point. We need to act professionally and treat customer and patient data with the utmost of respect regardless of what a rulebook says.

If we want to have the public treat us like professionals and not just glorifed salesmen then we need to act like professionals. Just sayin'

[wmcdonald]

HIPAA is federal, not state and does not vary as described above. If you are worried about the job trays, then by all means I would report this agregious activity to the CIA, and FBI! We do not want this information to cause anyone undue distress.

[DragonLensmanWV]

Much ado about nothing, as I see it.

[NeGlassesGirl27]

We take the privacy of our patients/customers very seriously and would take such an incident seriously-making sure the photo was fully removed and reminding the employee of the importance if patient privacy.

Yes having it leak out that so and so bought glasses from us or leaking the details of their Rx isn't exactly the most private of information. However, ultimately it's the patients data and unless they specifically tell us otherwise it's our duty to keep it private.

Yes HIPPA rules can vary by state, but those attacking the rules and regs miss the point. We need to act professionally and treat customer and patient data with the utmost of respect regardless of what a rulebook says.

If we want to have the public treat us like professionals and not just glorifed salesmen then we need to act like professionals. Just sayin'

I think you're taking this a little overboard. It does not have their address, social security # or anything like that on the trays. I look up at all my trays sitting 3 inches away from me and some have a last name, but most have a last name and first name initial. They are facing out towards a door so anyone can look in here and see that...does that mean I am breaking the law? What about calling a patient, IE: "Jane? How are you today.." Or at your doctors office and they call you by your name to see if you're ready. Or when you walk into a doctors office and say "Hi. My name is so and so and I'm here for my appointment". Honestly, I wouldn't get all flustered over a picture with a last name on the tray..

[kcount]

Do you allow Reps into the lab? Do the Reps see the trays? Have all your sales Reps signed the appropriate forms? Has your UPS delivery man? Your cleaning Service? Your Postman? Your family members that are given full access to the office? Remember, the rule your pointing to states 'Within Reason'. The document never defines this.

A picture on Facebook is a minor issue. Seeing random names = Minor Issue. If it's the case that you and your office are so concerned about patient names, can you honestly state you have never left a tray, a file, a hand written note with a patients name on it in a place where patients traffic? Have you mentioned crazy Mrs. Smith to your friends over cocktails in public?

Give me a break.

[Chris Ryser]

While anybody might want to report to HIPPA a minor item while maybe in their back room they operate a finishing lab that does not have a proper ventilation to the outside to vent toxic fumes from their tinting unit and or bevel edger.

Reminds me of those old folks here in Florida cooking up regulations for their over 55 year communities and then encourage people to squeal on their neighbours so they can slap a fine on them.

[optilady1]

I wonder how many trees HIPAA has obliterated.

[shanbaum]

Trees obliterated? Possibly none, since a substantial purpose of the law was to promote the use of standardized methods for electronic execution of many health care transactions.

One aspect of the privacy rule is that disclosure of protected health information should be minimized, both in terms of the content disclosed (disclose the minimum necessary) and the persons to whom it is disclosed (disclose only to those who need to know).

While a person's name on a tray may not provide much in the way of PHI, it's still likely to be PHI (indicating that the named patient is being treated for vision problems of some sort), and reasonable steps should be taken to minimize disclosure. Leaving trays where customers can see other customers' names is thoughtless at best. I don't think I'd want to argue that a name by itself is insufficient identification, given that most eyewear customers probably live near the shops they frequent, and the standard for de-identification is that the geographic area identified must be less specific than the patient's state. (So, "Mr. Anderson, a resident of the former Confederacy" is sufficiently ambiguous).

And contrary to Chip's assertions, regulations have the force of law, and the phone book does not contain PHI.

[drk]

Yeah, but think of this...

"Hey, I don't want people to know I wear glasses...that's a private matter!"

..and they're wearing glasses as they say this.

Secret bifocals? Secret Rx sunwear? Really?

[Barry Santini]

Trees obliterated? Possibly none, since a substantial purpose of the law was to promote the use of standardized methods for electronic execution of many health care transactions.

One aspect of the privacy rule is that disclosure of protected health information should be minimized, both in terms of the content disclosed (disclose the minimum necessary) and the persons to whom it is disclosed (disclose only to those who need to know).

While a person's name on a tray may not provide much in the way of PHI, it's still likely to be PHI (indicating that the named patient is being treated for vision problems of some sort), and reasonable steps should be taken to minimize disclosure. Leaving trays where customers can see other customers' names is thoughtless at best. I don't think I'd want to argue that a name by itself is insufficient identification, given that most eyewear customers probably live near the shops they frequent, and the standard for de-identification is that the geographic area identified must be less specific than the patient's state. (So, "Mr. Anderson, a resident of the former Confederacy" is sufficiently ambiguous).

And contrary to Chip's assertions, regulations have the force of law, and the phone book does not contain PHI.

This is why I maintain the "powered" eyewear should not be treated as a *medical* device...

B

[shanbaum]

That would be the silly part. But secret readers (or other glasses not worn in public) or secret contacts -there's a possible actual privacy interest there.

[drk]

This is why I maintain the "powered" eyewear should not be treated as a *medical* device...

B

Barry, you lookin' for a smack down? Huh? Huh?

[Barry Santini]

Barry, you lookin' for a smack down? Huh? Huh?

Tag Teams only, drk.

I'll take Argentina Apollo as my mate!

B

[optilady1]

Trees obliterated? Possibly none, since a substantial purpose of the law was to promote the use of standardized methods for electronic execution of many health care transactions.

One aspect of the privacy rule is that disclosure of protected health information should be minimized, both in terms of the content disclosed (disclose the minimum necessary) and the persons to whom it is disclosed (disclose only to those who need to know).

While a person's name on a tray may not provide much in the way of PHI, it's still likely to be PHI (indicating that the named patient is being treated for vision problems of some sort), and reasonable steps should be taken to minimize disclosure. Leaving trays where customers can see other customers' names is thoughtless at best. I don't think I'd want to argue that a name by itself is insufficient identification, given that most eyewear customers probably live near the shops they frequent, and the standard for de-identification is that the geographic area identified must be less specific than the patient's state. (So, "Mr. Anderson, a resident of the former Confederacy" is sufficiently ambiguous).

And contrary to Chip's assertions, regulations have the force of law, and the phone book does not contain PHI.

Well, in the years that hipaa has been around, we've waisted a lot of paper preparing and training people on the joys of hipaa.