Export thread

The HIPAA Act

#1



EsteBeatDown

Hey everyone. Been a while since I've posted. I was hoping someone here could help me with a particular situation I have been having a problem with. It's regarding the HIPAA act and the regulations regarding EPHI and PHI.

Yeah I know, why come here, right? Well, you all have proven to be intellegent in other matters and I can't seem to find the answer on my own, so I figured I might as well go for a hailmary.

So, I know that the HIPAA act has a regulation that states only ESSENTIAL work members who require access to EPHI (Electronic Protected Health Information - Information transmitted via electonic media (e-mail, internet, computer, flash drive, etc.)) to do their job function should have access. The problem I'm having is does that apply to PHI (such as pieces of paper)?

For example, I know it would be a violation of HIPAA if a medical office were to leave a computer with patient records open and unlocked for the after hours cleaning crew (who are not required to have access to these records to do their jobs) to "accidentally" have access to. But what if it were a box full of medical paper documents that they did not shred before leaving work and left out in the open for the cleaning crew to see? Is this a violation? I can't seem to find anything on this.

Any help (and links) would be GREATLY appreciated. Thanks all!


#2

AshburnerX

AshburnerX

I'm fairly certain you need to keep those files under lock and key until you actually shred them. I could ask someone at the hospital, but I'd be lucky to hear back form them in a week.


#3

Krisken

Krisken

Yes, it would be a violation of confidentiality clauses.


#4



EsteBeatDown

Yes, it would be a violation of confidentiality clauses.
Sorry to ask, but you wouldn't have a link or something that I can look at, would you?


#5

Dave

Dave

Let me find some links for you. Yes, it's a violation, but at this time as far as I'm aware, NOBODY has been prosecuted for violating HIPAA.

I'm very, VERY familiar with HIPAA. Let me find you some stuff.

---------- Post added at 06:33 PM ---------- Previous post was at 06:24 PM ----------

This link has FAQs about HIPAA.

This link has information about FACTA, which is more likely what you are looking for.

---------- Post added at 06:34 PM ---------- Previous post was at 06:33 PM ----------

FACTA:

FACTA is a federal law designed to minimize the risk of identity theft and consumer fraud by enforcing the proper destruction of consumer information. The Federal Trade Commission of the United States (FTC) developed the Disposal Rule in November 2004 to further implement the policies set forth in FACTA. The Disposal Rule applies to businesses that utilize consumer information; however it affects every person and business in the Unites States.
The FACTA Disposal Rule, effective June 1, 2005, states that "any person who maintains or otherwise possesses consumer information for a business purpose" is required to dispose of discarded consumer information, whether in electronic or paper form. The Disposal Rule further clarifies the definition of compliance as "taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." These "reasonable measures" include:

  • Burning, pulverizing, or shredding of physical documents.
  • Erasure or destruction of all electronic media.
  • Entering into a contract with a third party engaged in the business of information destruction.


#6



Element 117

I love how this forum is full of so many knowledgeable people, someone knows something, and collectively, we know about everything.


#7

Dave

Dave

Is that sarcasm? :hm:


#8

MindDetective

MindDetective

I think it was genuine. Also, I tend to agree.


#9



Element 117

Is that sarcasm? :hm:
No.


#10



Disconnected

I love how this forum is full of so many knowledgeable people, someone knows something, and collectively, we know about everything.
we are a model for how the world should work


#11

Dave

Dave

Is that sarcasm? :hm:
No.[/QUOTE]

I am never sure about that online. I think my sarcasm detector is broken.



And I agree.


#12



EsteBeatDown

Hey Dave, I looked over the info you linked, but I can't find anything on whether or not businesses are required to keep paper documents unaccesable from workers who do not need access.

I've got to go for a few hours, but when I get back I'll explain in detail the sutuation I am in at the moment. Maybe that will help.

Thanks a million everyone. I really appreciate it.


#13

Dave

Dave

Hey Dave, I looked over the info you linked, but I can't find anything on whether or not businesses are required to keep paper documents unaccesable from workers who do not need access.

I've got to go for a few hours, but when I get back I'll explain in detail the sutuation I am in at the moment. Maybe that will help.

Thanks a million everyone. I really appreciate it.
I think the FACTA information posted above is what you are probably looking for.


#14

Piotyr

Piotyr

Yeah, HIPAA deals mostly with electronic data, but I know our specific policy affects paper data as well. It might depend on the specific policy implemented at the institution.


#15



EsteBeatDown

(WARNING: LONG POST)

Hey guys. First off, thanks for everything you all have done. Especially you Dave. With all that you have to do, you still help us peon's with our personal problems. That's a class act right there. Anyways, here is the situation.

My wife and I own a janitorial business here in Texas. We have a few employees and clean multiple office buildings, including 4 clinics for a hospital district (or atleast we DID). We've cleaned these particular clinics for 2 years already and have never had an issue, that is until about a month ago.

Apparently, the hospital district recently had a vote on building a new hospital (which passed) and asked all surrounding clinics to make cuts on their spending in order to help fund the addition. To add to this "number crunch", one of the clinics we cleaned had just lost a key doctor to a rival district and was no longer receiving the income from him. Therefore, cuts needed to be made and, as anyone in my business knows, the first cuts are usually made in the luxury area, which is where we are. Well, the contract we made with them stated that in order for them to end our agreement early, it either had to be due to a performance issue (in which they had to give us a 2 week period to correct the issue and, if not corrected, then they could initiate the termination clause) or they had to buy out a portion of the remaining contract. So of course, they needed to find a reason to terminate us due to a performance issue in order to avoid buying us out.

So here we come to the incident that happened about a month ago. The clinic in question has special bins next to each office desk called a "shred bin". These shred bins hold confidential customer information such as medical records and billing information. These bins usually go weeks before actually being emptied out in their shredder and are NEVER put away at the end of the day. Therefore, they are always out in the open where any of my crew can have access to them. It has been this way for the entire 2 years we have worked for them.

Now to their credit, the bins are marked as "shred - to not throw away" and are also identified by the fact that they do not have trash can liners like the other trash bins do. But again, they are never emptied for weeks (and sometimes months) at a time and are never put away before we arrive, therefore being fully accessible to us.

Okay, like I was saying earlier, a month ago one of the doctors at the clinic in question decided to part ways with the hospital. The day he left, the clinic decided to do some reorganizing in order to take advantage of some of the extra space. My staff noticed this that night when they went to go clean. They went about their usual way (as they have been for the past 2 years) and completed the job as usual.

Well apparently, the next day the clinic realized that one of the shred bins was empty. So they immediately informed the chief financial officer of the hospital about the violation. In turn, the CFO tried to contact me via e-mail, stating that the documents that had been thrown out needed to be retrieved within 48 hours and she needed to be informed when it was done or else they were going to be liable. There was just one big problem. I never received the e-mail because it had been inaccessible to me for almost a week due to internet provider issues I was having at the time.

So you're probrably wondering, "Este, why didn't you call and inform the hospital that your e-mail was down? Don't you think they would need to know that?"

Yes, I do realize that this was a mishap on my part. But one thing that most people don't know is that this particular CFO was the type of person who would just so happen to call me on EVERY SINGLE ISSUE THAT EVER HAPPENED AT ANYTIME.

Trash bin wasn't emptied? I would get a call.

Mirror not cleaned right? Call.

Floor sticky? Call.

Dust bunny found in the most obscure corner of an empty office? Call.

(Okay, I made the last one up, but you get my point.)

So yes, I figured that if there was any serious situation that needed to be handled ASAP, I would receive a call from them. Therefore, I figured it wasn't necessary to inform them of my e-mail being inaccessible to me. My bad.

So the CFO sends an e-mail to me the day after the supposed incident happens and informs me that this issue needs to be addressed within 48 hours due to the consequences that could occur if it wasn't handled. You want to know when I found out about this?

Two friggin' weeks later. When my internet is back up. And I check my e-mail. Two weeks after the CFO sent it...

You get where I'm going with this?

If you have a serious, time sensitive issue that MUST be handled due to the serious implications it could have on your company if it isn't and you don't receive a response to the e-mail you sent from the people who would be handling it (and the deadline is fast approaching), what would you do? What would YOU DO?

YOU WOULD FRIGGIN' CALL THOSE DAMN PEOPLE!

You wanna know what these people did? They sent ONE e-mail. That's it.

No phone call 24 hours later. No call 48 hours later (when the deadline was reached). NOT EVEN A FOLLOW UP E-MAIL THE ENTIRE 2 WEEKS THAT MY INTERNET WAS OUT.

Nope. For this extremely important, time sensitive, consequence rendering issue that needed to be addressed within 48 hours, they sent ONE E-MAIL.

You wanna know what really happened? They found their reason to get out of the contract without buying us out.

So anyways, like a good little soldier, when I finally did get the e-mail, I called the hospital to discuss the issue with the CFO. However, by the time I called, they had already initiated the termination clause due to my lack of response to this serious violation. I tried to explain the situation to them, however they were pretty convinced that we were at fault and there was nothing we could do. The certified letter was already in the mail, and we were to be dismissed in 1 month (as per the performace termination clause).

I've gone through a few things to rectify the matter with them as peacefully as possible. I've even requested an exit interview in order to explain our side of things to them (which they denied me of). I've tried to defend my employees, telling them that in the 2 years that we've been cleaning they have never thrown out a shred bin, so why would they do so now? What proof do they have? How do they know that one of THEIR employees didn't throw it out accidentally, since they had reorganized that day? How do WE know that it even happened?

Each and every question they have refused to discuss with us. So guess what? I'm done being peaceful. They wanna say we got terminated due to violating the HIPAA act? Well see about that.

So that explains the situation. While I believe I have a case already, it would be of great benefit if I could prove that they were in violation of HIPPA already by having those documents out in the open when we would arrive. There should never have been an opportunity for us to throw those documents out in the first place (if we even did). And here is another zinger...

The day that the documents were "supposedly" thrown out was on a Tuesday. The trash truck that picks up that particular clinic's trash comes every Monday morning. If the hospital had called us the moment the deadline had passed to find out why we hadn't responded yet, it would have been sometime on Friday. Guess where I would have been the moment I would have found out?

Knee deep in dumpster, with a WHOLE WEEKEND to retrieve all the documents.

But nope, all I got was ONE FRIGGIN' E-MAIL.

Must have been some "serious" issue, huh?


#16

AshburnerX

AshburnerX

If the answer your looking for is anywhere, it's likely in this PDF file from the FTC about the Disposal Rule. Read it over carefully.

I DO know for a fact that containers full of this kind of stuff DO need to locked if your licensing out to an outside information disposal company, but if they were doing it in-house they may not be held to the same standards.

That being said, you may have a case if you decide to sue them for breech of contract, if you can prove it wasn't your people who threw it out.


#17



EsteBeatDown

If the answer your looking for is anywhere, it's likely in this PDF file from the FTC about the Disposal Rule. Read it over carefully.

I DO know for a fact that containers full of this kind of stuff DO need to locked if your licensing out to an outside information disposal company, but if they were doing it in-house they may not be held to the same standards.

That being said, you may have a case if you decide to sue them for breech of contract, if you can prove it wasn't your people who threw it out.
That's one of the problems though. Despite my employee's venomously denying that she did not throw out the bin, I cannot prove that she did not accidentally do so since I was not there. On the same vein however, they cannot prove that she did do it nor can they prove that one of their own employees did not do so during their reorganization. They are taking their employee's word over ours, despite the fact that A) we have never done this in our entire 2 years with them, B) my employee's have been fully educated on how to identify a shred bin and C) they had just completed a massive office reorganization and could have (more than likely) thrown it out themselves.

BTW, thanks for that link. It was very informative, but so far the only thing that I have found is that it requires companies to take certain measures to ensure that only the appropriate people have access to the documents. The problem with that though is the law states within itself that this is a "broad" term and can be implemented in different ways. Therefore, there is a real possibility that a court might find that them identifying those bins as shred bins would have been sufficient.


#18

Dave

Dave

I know this sucks, but if you can't prove anything you probably have little to no recourse and fighting it can drain coffers and make you look bad if you lose. Hell, if you win the details may come out & make you look bad!

I know it's a financial hit, but I'd write them off and find another client. Which sucks, but there you go.


#19

Krisken

Krisken

Keep in mind that states have statutes beyond what the federal government keeps as well. On top of that, each states laws are different. Federal law sets the base standard and the state laws expand upon it.

And while Dave is correct in that no one has been prosecuted, the penalties for not following these laws are still strict. Losing accreditation or having a black mark on your record as someone who is careless with patient information can prevent you from working in the healthcare field.


#20

Dave

Dave

I agree, Krisken, but he has the burden of proof against him in this matter. He needs to contact a lawyer and see if he's gearing up to fight a losing battle.


#21

Krisken

Krisken

I agree, Krisken, but he has the burden of proof against him in this matter. He needs to contact a lawyer and see if he's gearing up to fight a losing battle.
Sorry, was still replying to the first half of the thread.

I would think the burden of proof would be on the hospital as they made the accusation. It sounds to me like they are trying to cover their asses and prevent lawsuits. What you want to do Este is check your contract with the hospital. Look for a clause which covers confidential information. I can't be certain if they would have one for cleaning services.


#22



Chazwozel

Hey everyone. Been a while since I've posted. I was hoping someone here could help me with a particular situation I have been having a problem with. It's regarding the HIPAA act and the regulations regarding EPHI and PHI.

Yeah I know, why come here, right? Well, you all have proven to be intellegent in other matters and I can't seem to find the answer on my own, so I figured I might as well go for a hailmary.

So, I know that the HIPAA act has a regulation that states only ESSENTIAL work members who require access to EPHI (Electronic Protected Health Information - Information transmitted via electonic media (e-mail, internet, computer, flash drive, etc.)) to do their job function should have access. The problem I'm having is does that apply to PHI (such as pieces of paper)?

For example, I know it would be a violation of HIPAA if a medical office were to leave a computer with patient records open and unlocked for the after hours cleaning crew (who are not required to have access to these records to do their jobs) to "accidentally" have access to. But what if it were a box full of medical paper documents that they did not shred before leaving work and left out in the open for the cleaning crew to see? Is this a violation? I can't seem to find anything on this.

Any help (and links) would be GREATLY appreciated. Thanks all!
YES! It is! Any information that exposes patient records and I.D.s without their consent is a HIPAA violation. Those paper's should be in a locked cabinet!


-DAMN! I should have read the thread further down!

Este, I can't tell you the numerous times clients have tried to weasel out of my cleaning contract clauses by pulling shit like this. Sadly, the only thing you can do is plug on and try and find another account.


#23



EsteBeatDown

First off guys, thanks for everything. You all have really shed some light on this matter for me.

As to what I'm going to do, I figure that it could not hurt to present all of this information to a lawyer and get their input on whether I have a case or not. I know someone in the field who owes me a favor for the care we gave her mother a while back. I've already called it in and she is going to meet with me sometime next week.

I'm just wondering though, if you all could tell me something. Somewhere along as I was telling my story, I noticed that many of you realized that my case might have fallen apart. Where exactly did that happen? I'm just curious as to what you all think.

There was also something else that I thought might help my case. The FACTA act states that all companies that handle confidential customer information must take reasonable measures to ensure that it does not become accessible to those who do not need to see it. Perhaps the fact that the only effort they made to recover the supposed "lost" items was to send me an e-mail proves that they did not take reasonable measures. They did not try to call me regarding this issue NOR did they try to recover the items themselves. They sent only one e-mail over a span of 2 weeks. Doesn't this prove some form of neglect, no effort to reasonably recover the lost information in order to keep it from people who don't need to see it?

I'm not really sure what's going to happen. Perhaps all I really need to do is show that their actions were very "suspicious" like and lean towards them attempting to weasel (as Chaz put it) out of the contract.

I just don't know. I guess I really won't know what I have until I speak with the lawyer. In any case, you all have been great. I'll keep you all updated on what happens, and please continue to post your opinions and helpful information. I'll probrably need alot of it.


Top