Health Information Management

HIPAA Q&A

HIM-HIPAA Insider, March 17, 2013

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. I work at a teaching hospital affiliated with one of the nation's top universities and medical schools.

Our emergency department staff forgot to return a patient's insurance card and mailed it to the patient via regular first-class mail without notifying her that they were doing so. A few days later, the patient was traveling when she discovered that the insurance card was missing. She called our emergency department and was told the card had been mailed to her home address.

The patient said she understands that mistakes happen occasionally, but that she was far more upset by our failure to contact her and ask her preference for ­returning the card than by our initial failure to return it while she was at the hospital. The patient said that had we called her, she would have come to the hospital to retrieve it and that she would have done so promptly because of her imminent travel plans.

Did we do the right thing by sending the ­insurance card via regular first-class mail without calling the ­patient first? Should we have sent it via certified mail or in some other manner that required a signature confirming receipt?

Also, should our privacy policy address situations like this?

A. This amounts to a violation of patient preference versus a violation of the privacy or security of the patient's information. There is no regulatory requirement to contact the patient before sending back a left-behind insurance card. First-class mail is protected by federal mail tampering laws, so intercepting and ­fraudulently using another individual's insurance card would amount to a criminal act.

There is no need to change your privacy policy in an effort to comply with state or federal law. HIPAA represents the privacy and security floor-you need to at least comply with HIPAA. You may implement more stringent privacy practices if you wish, and this could include a procedure that requires a call to the patient before sending that left-behind insurance card back. Implementing such a procedure would probably lead to a happier patient, but it's not legally required.

Q. Two patients with very similar names see the same primary care provider in our office. They are sisters-in-law whose names are Michele A. Smith and Michelle B. Smith.

Staff members often retrieve the wrong files for these patients, who become aware of the mistake when the physician asks Michele or Michelle a question that doesn't pertain to her but does pertain to her sister-in-law (e.g., a question about diabetes). The ­sisters-in-law have a friendly relationship and seem to be familiar with each other's health issues.

This has occurred more than once and with both ­patients. Do these recurring situations violate HIPAA?

A. Incidental disclosures of PHI do not ­represent a HIPAA Privacy Rule violation. On the ­other hand, repeatedly disclosing one patient's PHI to ­another patient would likely be seen as a violation. A better way to look at it is this: What would be the consequences of an ongoing mix-up if it involved two ­patients who did not know each other? It is important to implement controls to reasonably ensure Michele and Michelle's medical records are not mixed up.

Have a HIPAA question of your own? Please send your question to Editor James Carroll. (Editor's note: Due to the large volume of questions we receive, we are not able to answer all inquiries).



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular