RE: Here is a good Privacy Issue that will cause problems
There was some good discussion of whether it was proper (legal) for the pharmacist to notify the prescribers (probably not), but if he stole the RX book, or someone suspected he stole the RX book, that was a (potential) crime and should have been reported to the police. I was thinking about suggesting reporting it to the police in the first place. They would have (hopefully) done an investigation and developed a case before notifying anybody, thus preventing the embarrassment to the wrong person (and potential law suit). If the pharmacist reported it to the police and it turned out that nothing illegal was done, I don't see what harm it would have done to the pharmacist or to the person suspected of wrong doing. Bruce Bradigan Healthcare Consultant -Original Message- From: Rebekah Savoie [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 5:43 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Here is a good Privacy Issue that will cause problems Thank you for all your responses. They were all great and exactly what I expected - Now I will tell you the rest of the story - A man stole some Rx books and forged the Rx's - but it gets better - he used someone else's name and the pharmacy gave this information to physicians when the person they thought and named was seeking drugs, was actually not. You can imagine how mad this man was after the information got back to his employer who was a friend of a physician that received one of the general mail-out letters about him being a drug seeker. Makes you think, doesn't it? Rebekah Savoie Healthcare Consultant Christiansen, John (SEA) [EMAIL PROTECTED] 01/16/03 02:55PM Robert - I think I need to question one of your assumptions, and your approach to this kind of problem. #1 the assumption that: the individual has lost the right to privacy once they break the law is not correct, and is in fact dangerously incorrect. HIPAA does not state that principle anywhere. It does list a number of conditions under which PHI may be disclosed: for TPO, under an authorization, and under the conditions listed in 45 CFR 164.512 (uses and disclosures not for TPO for which no authorization is required). If you read that regulation you will see that subsection (a) does permit a disclosure required by law, while subsection (f) sets out the specific requirements for disclosures for law enforcement purposes. (The other exceptions in this regulation don't appear likely ever to apply to this kind of situation). If there is a law on the books requiring disclosure of drug-seeking behavior, exception (a) would apply; but I am not aware of any such laws (doesn't mean there aren't any, I just don't know of any). This is a very different approach to privacy from the assumption that if you break the law you lose your privacy. While the U.S. Constitution does not explicitly state a privacy right (there are theories that it does so implicitly, but that's another set of questions), HIPAA does create a statutory/regulatory set of privacy obligations on the part of CEs and entitlements on the part of individuals. I frankly don't think that a pharmacist's judgment that he thinks someone has broken the law by improperly seeking drugs (by the way, *is* drug-seeking behavior a crime? or just a basis for suspicion of a crime? or are we using an alert of this kind to prevent health problems and over-prescription?) will suffice to eliminate this entitlement (as a matter of law) or relieve the pharmacist, as a CE, of his or her obligation to respect these privacy entitlements by complying with the regulations. (By the way, what if he's wrong? In addition to breach of privacy there might well be a suit for libel available.) This is not to say something can't be done to communicate about this kind of problem - we have discussed it quite a bit and there have been a number of good postings on the subject - but the way to approach a solution it is to start with the regulations and read them carefully. (Also any applicable business associate contracts; for example, in your example of the PBM, has the PBM checked to make sure any BAC it has with a CE that provided some of the PHI which describes the prescriptions written permits that kind of disclosure? There are some badly drafted documents out there, not all of which might allow for everything you would like to assume they do.) The underlying point being that with HIPAA coming into effect decisions like these have to be made in a more formal way, with actual reference to regs and contracts and not in reliance on what you assume should be the right result. John R. Christiansen Preston | Gates | Ellis LLP 701 Fifth Avenue, Seattle, Washington 98104 *Direct: 206.613.7118 - *Cell: 206.683.9125 * [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED]
RE: Here is a good Privacy Issue that will cause problems
HIPAA is not intended to *preclude* use of PHI for treatment. Consultation with other providers for treatment purposes is specifically permitted, under the broadest terms of any of the HIPAA use/disclosure provisions. But the definition of CE does not include governmental *law enforcement* agencies - though it does include governmental *providers and plans* - and consultation with *law enforcement officials* is not *treatment.*(Unless you want to argue that becoming the subject of acriminal investigation and potentially criminal prosecution is "treatment," which would be an interesting semantic stretch and more to the point an interpretation inconsistent with the rules' own distinctions between the two types of PHI use.) Since a disclosure tolaw enforcement it is not for *treatment* other rules apply, which should not be difficult to comply with, though the failure to comply could expose the CE to penalties. Likewise, the disclosure of PHI to another pharmacist to advise him or her of possible drug-seeking behavior is not for the purpose of *treatment* unless both pharmacists have a professional relationship to the possible drug-seeker; the goal then would indeed be the provision of clinically sound treatment services. That purpose is *not* presentwhen a pharmacist sends that kind of information to another pharmacist who doesn't have a relationship to the individual in question -the latter is not engaged in "providing, coordinating or managing health care or related services" to the individual (the definition of "treatment"), so the former *cannot* be disclosing the PHI for that purpose. The question then is, if the disclosure to the second pharmacist is not for purposes oftreatment, what *is* the purpose of the disclosure? Once you have articulated that purpose accurately, you look at the rules to see if it is permitted, and if so under what conditions. If it is permitted, you disclose under the conditions the rule states (if any). If it is not permitted, you don't make the disclosure. I guess at this point I'm not sure what the resistance or disagreement is about.I think the prudent approach is to read the rules and work within them, and I think they can be worked with to legitimately handle the kind of situation described in Rebekah's original scenario (which is what I am still responding to). There appears to be a disagreement with this position and I'd like those who disagree to clarify what their own position in fact is. Is the disagreement based on the beliefthat this approach encroaches too much on traditional professional discretion of pharmacists to disclose patient information according to their own judgment, not according to bureaucratic rules?If so that is a legitimate position, one that has been articulated by a number of professionals in a number of settings, and one I sympathize with to an extent. Butit is also a position that in the final analysis is about HIPAA resistance, not HIPAA compliance. If the requirement to comply with bureaucraticrules improperly infringes on professional discretion, from the professional's point of view the solution is to abolish the rules (i.e., HIPAA), or to ignore them and be ready to take the consequences as a matter of taking the moral high ground against an intrusive government. But if you accept that the rules are legitimate, or at least that it is too risky to violate them, the solution is to read them and comply with them, and to the extent they do cause problems try to get HHS to reform them. If this is not an accurate description of the basis for disagreement with the "read the rules" approach, it would be helpful to know what the basis for the disagreement in fact *is.* If we are going to have divergent standards for approaching compliance we better get them on the table so we know what we are talking about. -Original Message-From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 4:57 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems John, Under HIPAA, a pharmacist's job is to provide direct treatment services and to use and disclose related PHI in accordance with the privacy, security and TCS rules. So if a pharmacist needs to consult with other CE's in the neighbor (or to contact government offficials) to provide a clinically sound treatment service, how would HIPAA preclude those activities? I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may
RE: Here is a good Privacy Issue that will cause problems
Title: RE: Here is a good Privacy Issue that will cause problems I would argue that releasing information that a patient has been restricted to one pharmacy is not a disclosure under HIPAA. A disclosure must contain a person's identifying information and information on their health status. I don't see how a pharmacy restriction would be considered information about health status other than such a restriction would imply abuse of some sort. But that would be like the information that you are in the hospital would imply that you were sick. -Original Message- From: Drexler, Deborah (EHS) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 3:58 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Here is a good Privacy Issue that will cause problems The issue here is whether a covered entity which has information that an individual is drug seeking can disclose it to someone else, in an effort to curb the abuse. Depending on who is disclosing the PHI to whom, you can probably argue that the disclosure is authorized because it is either T, or P, or O. Here is an example of one way it could work. A payer realizes it has paid for several prescriptions for the same narcotic in a week, each written by a different prescriber. This is an indication of drug abuse. The payer deals with this problem by putting the individual on a restricted pharmacy list -- the individual can now get his prescriptions filled at only one particular pharmacy (pharmacy A). Pharmacy A is instructed by the payer that if they are asked to fill duplicate prescriptions, they they are to contact the prescriber to validate the prescription. Otherwise the pharmacist won't get paid. In this case, you could argue that the disclosure from pharmacist to provider is either for the individual's treatment, or the pharmacists' payment. In the same hypothetical situation, when the same individual goes to Pharmacy B in an attempt to get her illicit prescription, the Pharmacist B looks up the person's eligibility and sees that the individual has been restricted to Pharmacy A. Pharmacist B now knows that he won't get paid if he fills this prescription, and so he doesn't. There is a dislcosure here -- the payer disclosed to Pharmacy B the fact that the individual has been restricted to Pharmacy A (and implicitly a drug seeker) -- but this is a disclosure that will likely be deemed to be part of the payer's operations. In the situation you describe, Rebekah, it seems that the pharmacy (somehow) got information that the individual is a drug seeker, and is disclosing that fact to providers. I'd argue here that the disclosure from pharmacist to providers is part of the treatment of the individual. As you can see, none of these arguments is completely obvious. So is there a HIPAA problem? Maybe. There's another problem, as well. A drug seeker can easily evade detection by going to different pharmacies, different doctors, and not seeking insurance reimbursement. But there's a way to fix both the detection proglem and the HIPAA problem -- and I think I read that more than one state is either doing this or planning to do this: the state can *require* pharmacists to report all prescritpions to a central database, and the state can monitor that database to identify drug seekers. A bit Big Brother-ish? You might think so. But doing it this way solves not only the detection problem but the HIPAA problem as well -- as long as the state promulgates a regulation *requiring* pharmacists to disclose to a central database, and another *requiring* the state to disclose suspected drug seekers to providers. As we all know, HIPAA has no effect on state laws or regulations requiring disclosure of PHI. Deborah L. Drexler, Esq. HIPAA Program Consultant Executive Office Health Human Services One Ashburton Place Boston MA 02108 617-727-7600 [EMAIL PROTECTED] -Original Message- From: Mimi Hart [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 4:17 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: Here is a good Privacy Issue that will cause problems My gut feeling tells me huge issue...I don't know if there is something in public health law that would state that it is being done in the best interests of the patient and is therefore okay.hopefully one of the lawyers on the group will weigh in. MIMI Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] Rebekah Savoie [EMAIL PROTECTED] 01/15/03 02:53PM Today, a clinic that I work with received a letter from a local pharmacy about a patient that was a Drug Seeker as we call them. Over the course of 30 days he had been to several doctors and several pharmacies and received over 350 total pills all a controlled substance. What happens to the pharmacy's ability to do these types of things under Privacy? Clearly, pharmacist were
RE: Here is a good Privacy Issue that will cause problems
Tim, I must respectfully disagree with your fundamental analysis of this scenario. Pharmacists (chemists) have, for more than 2000 years, been part of a triad (including physicians and nurses) engaged in an on-going clinical (NOT business) practice of ensuring that the correct medications and drugs are received by the correct patients. Whenever we remove one of those clinical disciplines from the decision-making process, medication errors and mistakes are likely to increase. It is NOT the intention of HIPAA to deter a good clinical practice. Unfortunately, when unscrupulous people get hold of blank-prescriptions, innocent people may get hurt. Under HIPAA, our responsibility then becomes mitigation of the harm. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 6:00 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Here is a good Privacy Issue that will cause problems In my personal opinion, this practice - violating patient privacy, in the name of detecting abuse by private businesses - which is (it appears to me) unsupported by statute (unless mandated by DEA regulation) - is contrary to both many state laws and HIPAA. I agree the practice serves a valuable community need, as well as the needs of the abusing patient (intervention). However, as it (as I see it) is NOT a law enforcement reporting issue, but rather a home grown solution, that business simply do out of common sense, the practice will either have to be suspended, with suspects reported to law enforcement - cutting out the Sherlock Holms detectionengaged in by pharmacistsin the process - or get a state statute passed to support and require the activity. After all, it appears to me that what is really occurring here is abuse of privacy, and potentially serious defamation, and that a case might be made for damages if a person is placed on these distribution lists wrongly. However, as I am not an attorney I can not pass on a formal opinion. Just keep in mind that a person DOES NOT LOOSE ANY RIGHTS just because a pharmacist suspects abuse!!! It is up to statutory law enforcement of investigate, and a court to determine if a crime has been committed, NOT A CE, regardless of their practices. I am frankly amazed that we have not heard more litigation on this issue. Regards, Tim McGuinness, Ph.D. Consulting Specialist in Regulatory Privacy, Security, and Application Compliance --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Here is a good Privacy Issue that will cause problems
Hate to say it, but I disagree: Under HIPAA a pharmacist's job is to establish and comply with certain policies for privacy, security and electronic claims processing. It is a pharmacist's *professional* obligation to avoid (or mitigate) harm to individuals, and HIPAA is not intended to *interfere* with this. But HIPAA says nothing about mitigation of harm or professional standards. -Original Message-From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 3:57 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems Tim, I must respectfully disagree with your fundamental analysis of this scenario. Pharmacists (chemists) have, for more than 2000 years, been part of a triad (including physicians and nurses) engaged in an on-going clinical (NOT business) practice of ensuring that the correct medications and drugs are received by the correct patients. Whenever we remove one of those clinical disciplines from the decision-making process, medication errors and mistakes are likely to increase. It is NOT the intention of HIPAA to deter a good clinical practice. Unfortunately, when unscrupulous people get hold of blank-prescriptions, innocent people may get hurt. Under HIPAA, our responsibility then becomes mitigation of the harm. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 6:00 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems In my personal opinion, this practice - violating patient privacy, in the name of detecting abuse by private businesses - which is (it appears to me) unsupported by statute (unless mandated by DEA regulation) - is contrary to both many state laws and HIPAA. I agree the practice serves a valuable community need, as well as the needs of the abusing patient (intervention). However, as it (as I see it) is NOT a law enforcement reporting issue, but rather a "home grown" solution, that business simply do out of common sense, the practice will either have to be suspended, with suspects reported to law enforcement - cutting out the Sherlock Holms detectionengaged in by pharmacistsin the process - or get a state statute passed to support and require the activity. After all, it appears to me that what is really occurring here is abuse of privacy, and potentially serious defamation, and that a case might be made for damages if a person is placed on these distribution lists wrongly. However, as I am not an attorney I can not pass on a formal opinion. Just keep in mind that a person DOES NOT LOOSE ANY RIGHTS just because a pharmacist suspects abuse!!! It is up to statutory law enforcement of investigate, and a court to determine if a crime has been committed, NOT A CE, regardless of their practices. I am frankly amazed that we have not heard more litigation on this issue. Regards, Tim McGuinness, Ph.D.Consulting Specialist in Regulatory Privacy, Security, and Application Compliance---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a
RE: Here is a good Privacy Issue that will cause problems
We provide each patient with a summary of our protocol for dispensing of pain meds, the anticipated length of time post op., etc. We have the patient sign the form authorizing any and all pharmacies to provide a prescription profile upon request, giving the patient a copy. This has been a lifesaver for our office. Lisa L From: Christiansen, John (SEA) [EMAIL PROTECTED] Reply-To: Christiansen, John (SEA) [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Subject: RE: Here is a good Privacy Issue that will cause problems Date: Wed, 15 Jan 2003 14:21:00 -0800 This was a very big issue in one small city where I spoke on HIPAA a couple of years ago, because the chief of police () had recently been busted for drug-seeking behavior - everybody wanted to know how it would play out under HIPAA. If I read this question right, what happened here was that one pharmacy sent another a letter including PHI (Joe Doaks is trying to buy lots of controlled substances), without patient authorization. So, is there an applicable exception? You might be able to argue that the treatment exception applies: Both pharmacies are providing health care to (filling prescriptions for) Joe, possible misuse of drugs is a legitimate consideration in providing care (due to potential for drug interactions and overdosing), so it would be legitimate to say that this is a permitted disclosure from one provider to another for treatment purposes. However, if Joe finds out this kind of communication is going on, he may not take it well, and may disagree. Given the personalities of many drug abusers, he probably will. This is the kind of scenario that leads to OCR complaints and lawsuits. If your drug seeker has deep pockets and a reputation to protect - numerous celebrities come immediately to mind - a lawsuit might even be likely. So, if I were a pharmacy, I might very much want OCR guidance stating that this kind of pharmacy-to-pharmacy communication is permitted under the treatment exception; I don't want it a gray area. Disclosures to law enforcement have their own exception. However, in discussions with in the small city referenced above, it became clear that a lot of people simply gave out information to the plainclothes investigators based on the investigators' oral representation of their authority - no subpoena, no warrant, no letter, no badge or ID check, in some cases over the phone (without a verifying callback procedure). This is highly risky - I think you probably ought to be able to get the benefit of the law enforcement exception without having checked authority, but the regs specify what you are permitted to rely upon and that you have to have reasonable safeguards against unauthorized access, which authority verification would seem to be. So you may be at risk in disclosing without checking even if the recipient turns out to be telling the truth about his law enforcement authority. And if he's not what he says he is - if, as by anecdote happened to a couple of organizations discussed at the presentation, he (or she) is actually an ex-spouse, or parent - then you're in real hot water. (I would hope not criminal charges, but under the wrong facts I bet an aggressive prosecutor could make a case.) And if HIPAA isn't enough, in Washington state unauthorized disclosure of patient information is actionable medical malpractice, too. So: Read the rules; trust, but verify (authority); lobby for clarity; and when in doubt, don't disclose. John R. Christiansen Preston | Gates | Ellis LLP 701 Fifth Avenue, Seattle, Washington 98104 *Direct: 206.613.7118 - *Cell: 206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, content may be modified or corrupted, and headers or signatures may incorrectly identify the sender. If you wish to confirm this message or the identity of the sender, please contact me using a communications channel other than a reply to this e-mail. Secure electronic messaging is available and recommended for confidential or sensitive communications. -Original Message- From: Bentz-Miller, Judith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 1:15 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Here is a good Privacy Issue that will cause problems This is a huge issue in my area, because we actually have a hotline set up in the county and I don't think we can keep it around. I am lucky enough to be invited to a meeting with a state police detectives, physicians, and pharmacists next week regarding HIPAA and I am sure it will come up. I will report to the group my findings then. I do think this is more of a common occurrence than we think it is. Make sure you ask the right questions with your groups. Judith Bentz-Miller Privacy Officer Arnett Clinic 765-448-8843 -Original Message- From: Rebekah Savoie [mailto:[EMAIL PROTECTED]] Sent: Wednesday,
