There was some good discussion of whether it was proper (legal) for the
pharmacist to notify the prescribers (probably not), but if he stole the RX
book, or someone suspected he stole the RX book, that was a (potential)
crime and should have been reported to the police. I was thinking about
suggesting reporting it to the police in the first place. They would have
(hopefully) done an investigation and developed a case before notifying
anybody, thus preventing the embarrassment to the wrong person (and
potential law suit).
If the pharmacist reported it to the police and it turned out that nothing
illegal was done, I don't see what harm it would have done to the pharmacist
or to the person suspected of wrong doing.
From: Rebekah Savoie [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 16, 2003 5:43 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: Here is a good Privacy Issue that will cause problems
Thank you for all your responses. They were all great and
exactly what I expected -
Now I will tell you the rest of the story -
A man stole some Rx books and forged the Rx's - but it gets
better - he used someone else's name and the pharmacy gave
this information to physicians when the person they thought
and named was seeking drugs, was actually not. You can
imagine how mad this man was after the information got back
to his employer who was a friend of a physician that received
one of the general mail-out letters about him being a drug seeker.
Makes you think, doesn't it?
Christiansen, John (SEA) [EMAIL PROTECTED] 01/16/03
I think I need to question one of your assumptions, and your
approach to this kind of problem.
#1 the assumption that: the individual has lost the right
to privacy once they break the law is not correct, and is in
fact dangerously incorrect.
HIPAA does not state that principle anywhere. It does list a
number of conditions under which PHI may be disclosed: for
TPO, under an authorization, and under the conditions listed
in 45 CFR 164.512 (uses and disclosures not for TPO for which
no authorization is required). If you read that regulation
you will see that subsection (a) does permit a disclosure
required by law, while subsection (f) sets out the specific
requirements for disclosures for law enforcement purposes.
(The other exceptions in this regulation don't appear likely
ever to apply to this kind of situation). If there is a law
on the books requiring disclosure of drug-seeking behavior,
exception (a) would apply; but I am not aware of any such
laws (doesn't mean there aren't any, I just don't know of any).
This is a very different approach to privacy from the
assumption that if you break the law you lose your privacy.
While the U.S. Constitution does not explicitly state a
privacy right (there are theories that it does so implicitly,
but that's another set of questions), HIPAA does create a
statutory/regulatory set of privacy obligations on the part
of CEs and entitlements on the part of individuals. I frankly
don't think that a pharmacist's judgment that he thinks
someone has broken the law by improperly seeking drugs (by
the way, *is* drug-seeking behavior a crime? or just a basis
for suspicion of a crime? or are we using an alert of this
kind to prevent health problems and over-prescription?) will
suffice to eliminate this entitlement (as a matter of law) or
relieve the pharmacist, as a CE, of his or her obligation to
respect these privacy entitlements by complying with the
regulations. (By the way, what if he's wrong? In addition to
breach of privacy there might well be a suit for libel available.)
This is not to say something can't be done to communicate
about this kind of problem - we have discussed it quite a bit
and there have been a number of good postings on the subject
- but the way to approach a solution it is to start with the
regulations and read them carefully. (Also any applicable
business associate contracts; for example, in your example of
the PBM, has the PBM checked to make sure any BAC it has with
a CE that provided some of the PHI which describes the
prescriptions written permits that kind of disclosure? There
are some badly drafted documents out there, not all of which
might allow for everything you would like to assume they do.)
The underlying point being that with HIPAA coming into effect
decisions like these have to be made in a more formal way,
with actual reference to regs and contracts and not in
reliance on what you assume should be the right result.
John R. Christiansen
Preston | Gates | Ellis LLP
701 Fifth Avenue, Seattle, Washington 98104
*Direct: 206.613.7118 - *Cell: 206.683.9125
* [EMAIL PROTECTED]
From: [EMAIL PROTECTED