The Pittsburgh Post-Gazette ran an interesting story today, “Spread of records stirs fears of privacy erosion.”
Basically this describes the trials and tribulations of a woman was denied disability benefits from her insurer following a car accident because of notes made by her psychologist. Reportedly the psychologist notes were intermingled with her general medical records.
This report provides an interesting example and case study into what can happen when healthcare providers find excuses to be sloppy with how they store their patient records, use their excuses to avoid compliance with HIPAA, and the resulting significant negative impact such actions, still unresolved and HIPAA still unenforced, has upon patients whose information
goes from a psychologist’s pen on paper to being digitally scanned into a large medical center’s data processing storage mixed together with all other types of medical data.
This is a rather long article, so here are some key excerpts to give the gist of the article:
* “In 2000, she sought help for sleeping problems at a sleep-disorder center at Stanford Hospital. She began psychotherapy sessions with clinical psychologist Rachel Manber, director of the center. The sessions, she says, delved into her problems at work, as well as deeply personal matters such as her fiance’s death. “I would never have engaged in psychotherapy with her if she did not promise me those notes were under lock and key,” Ms. Galvin says.”
* “Her therapist, she says, had assured her the records from her sessions would remain confidential.”
* “On a rainy morning in February 2001, Ms. Galvin was rear-ended at a red light in Palo Alto and suffered four herniated discs. She returned to work, but over time her back problems worsened, she says. Her doctor eventually diagnosed an unusual connective-tissue disorder that made healing difficult, she says. Two years after the accident, she applied for long-term disability leave.”
* “Her employer’s carrier, UnumProvident Corp., asked her to sign a broad release covering her medical records. Without it, the insurer said, it would deny her claim. Ms. Galvin signed, she says, only after receiving assurances from Dr. Manber that the therapy records wouldn’t be turned over without additional authorization.”
* “In mid-2003, three months after Ms. Galvin signed UnumProvident’s release for her medical records, the Chattanooga, Tenn.-based insurer denied her long-term disability coverage. In a letter explaining its decision, UnumProvident cited notes taken by Ms. Galvin’s psychologist about her “working on a case” and about a job interview in New York. “(Y)ou continued to actively seek a new position and actively interviewing for positions, including traveling to New York,” the letter said. “There is also some indication that you were working on a case … after you left work.” The medical information in her file, the letter said, did not support her claim.”
* “Ms. Galvin disputed UnumProvident’s decision. She said that the notes about the job interview referred to the psychologist’s suggestion during one session that she find another job, and that the reference to “working on a case” referred to her pursuit of a claim against the driver who rear-ended her. She says she showed UnumProvident telephone and bank records and they prove she wasn’t in New York when the insurer said she was. UnumProvident stuck to its decision.”
* “Jim Sabourin, a spokesman for UnumProvident, says the contents of Dr. Manber’s notes were one reason it denied her claim. He says the company obtained the records appropriately, using the authorization form signed by Ms. Galvin for the release of her general medical records. If she thought there were errors in her record, he says, she should have asked Stanford to correct
them. Mr. Sabourin says the insurer has extended the time for Ms. Galvin to appeal its denial.”
* “Ms. Galvin says she complained to her therapist, Dr. Manber, and to others at Stanford Hospital that she hadn’t given permission for her psychotherapy records to be released — and that Stanford should have made sure her insurer obtained permission. In 2004, she sued Dr. Manber, the hospital and her insurer, accusing them of violating their professional obligations, malpractice and invasion of privacy, among other things.”
* “A year after she sued, says Ms. Galvin, she learned from a lawyer representing Stanford that the hospital had scanned at least some of Dr. Manber’s notes about her into its computer records system, effectively making them part of her basic medical record. Stanford then had sent this file to her insurer and to the lawyer for the driver who hit her car. Later,
UnumProvident sent Ms. Galvin’s records to a lawyer for an auto club that insured Ms. Galvin against uninsured motorists. Unum says it did nothing improper.”
* “In court papers, Stanford said that “psychotherapy notes that are kept together with the patient’s other medical records are not defined as ‘psychotherapy notes’ under HIPAA.” The hospital is not required to keep them separate, the court papers said, and it would be “impracticable” to do so. In a separate filing, Dr. Manber asserted that the notes “do not constitute psychotherapy notes” as defined by the federal rules and that it was appropriate for her to send them to Stanford’s medical-records department. Dr. Manber declined to comment, as did a lawyer representing her and Stanford.”
* “The U.S. Department of Health and Human Services last summer rejected an administrative complaint by Ms. Galvin against Stanford, saying the hospital hadn’t broken any rules because it “did not separate Ms. Galvin’s Sleep Center Records from her general medical records.””
Why in three years has there been NO enforcement actions, penalties, fines, etc. applied for HIPAA noncompliance? Laws must be enforced to be effective and to be taken seriously by those organizations handling copious amounts of personal information.
As the article highlights, there certainly are some troubling issues with the way some of the HIPAA regulations are worded; broadly and open to interpretation to the point that they can be detrimental to ensuring the privacy they were created to protect.
The HIPAA Privacy Rule specifically requires extra protection for psychotherapy information.
“¬ß 164.508 Uses and disclosures for which an authorization is required.
(a) Standard: Authorizations for uses and disclosures
:
:
(2) Authorization required: Psychotherapy notes.
Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except:
(i) To carry out the following treatment, payment, or health care operations:
(A) Use by the originator of the psychotherapy notes for treatment;
(B) Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling;
or
(C) Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual;
and
(ii) A use or disclosure that is required by ¬ß164.502(a)(2)(ii) or permitted by ¬ß164.512(a); ¬ß164.512(d) with respect to the oversight of the originator of the psychotherapy notes; ¬ß164.512(g)(1); or ¬ß164.512(j)(1)(i).”
Treatment, payment, or health care operations seems to be the Achilles’ heal in this case, or at least the hospital is trying to make it so.
§164.502(a)(2)(ii) is:
“(a) Standard. A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.”
“(2) Minimum necessary does not apply. This requirement does not apply to:”
“(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section;”
§164.512(a) is:
“(a) Standard: Uses and disclosures required by law.
(1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
(2) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law.”
§164.512(g)(1) is:
“(g) Standard: Uses and disclosures about decedents.
(1) Coroners and medical examiners. A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for the purposes described in this paragraph.”
§164.512(j)(1)(i) is:
“(j) Standard: Uses and disclosures to avert a serious threat to health or safety.
(1) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure:
(i)(A) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
(B) Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat;”
The hospitals are saying is it unreasonable to ask them to separate psychotherapy notes from the large databases into where they have been dumped. Why is this considered as an acceptable reason for this situation? Why were handwritten psychotherapy notes scanned into a computer system to begin with? The most secure place for handwritten psychotherapy notes is on paper and locked within the doctor’s cabinet where only he or she can get to them.
Once data is scanned into a computer system the number of people who can access that data immediately leaps to potentially dozens if it is stored in clear text (which it likely is). Systems admins, authorized users of the applications that can now access the data, probably auditors, and any number of other systems users.
One of the many intents of HIPAA was to protect psychotherapy notes so that such information could not be used against individuals inappropriately. However, poorly, or perhaps more precisely confusingly, worded legislation and thoughtless implementation of paper scanning systems seem to have negated any meaningful results of that intent; at least it appears so in this case.
Tags: awareness and training, government, HIPAA, Information Security, IT compliance, patient privacy, privacy