HIPAA

HIPAA and Referral List

  • 1.  HIPAA and Referral List

    Posted 09-28-2020 03:43 PM
    Greetings,

    An individual at an organization sends weekly marketing report to the entire organization. This report contains patient 's first and last name, referral source, internal referral, status, admission date, referring physician, etc.
    Due to the fact that the report contains patient's full names and it's going to everyone in the organization (most have no need to know the patient's name), would this be considered a HIPAA violation?
    If yes, how can that organization addressed and mitigated the situation?

    Please advise,


    ------------------------------
    Tema Pefok, DHA, CHC, CPCO, CHPC
    Director of Compliance
    The Care Team
    30600 Northwestern HWY Suite 245
    Farmington Hills MI 48334
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: HIPAA and Referral List

    Posted 09-28-2020 03:55 PM

    Tema,

    Your 4 factor analysis will help you to determine if it is a breach or not. At the very least it appears to violate the "minimum necessary" rule. I would bring this to your Compliance Committee or upper management, whoever would be involved in making that kind of decision and determine who in the organization really needs the marketing report and what information do they need.  A simple policy and procedure for the Marketing person/dept. to guide them in what information to include and who to share it with, and how to share it (encrypted email, etc) should alleviate any future problems.

     


    Michael Scudillo, OTR, CHC 
    Chief Compliance Officer/Privacy Officer
    Universal Institute / Therapeutic Rehabilitation

    Troy, MI

    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at michael.scudillo@uirehab.commichael.scudillo@uirehab.com> and delete the material from all computers. michael.scudillo@uirehab.com>



    19th Annual CEI Virtual Conference


  • 3.  RE: HIPAA and Referral List

    Posted 09-28-2020 08:39 PM
    Whether it might be a violation or not would depend on whether each person needs the information to do their job, and needs to know all the information.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: HIPAA and Referral List

    Posted 09-29-2020 08:03 AM
      |   view attached
    Hi Tema

    I've attached our HIPAA P&P for your review.  Hopefully, it'll help guide you.

    ams

    ------------------------------
    Anne Marie Storey
    Director of QI
    Catholic Charities of Oneida/Madison County
    Utica,NY
    ------------------------------

    Attachment(s)

    doc
    11-P&P - Marketing.doc   45K 1 version
    19th Annual CEI Virtual Conference


  • 5.  RE: HIPAA and Referral List

    Posted 09-29-2020 08:58 AM
    Good morning,
    I would like to thank everyone for the great input and the policy. I now have enough grounds to approach the situation.
    Have a great day,

    ------------------------------
    Tema Pefok, DHA, CHC, CPCO, CHPC
    Director of Compliance
    The Care Team
    30600 Northwestern HWY Suite 245
    Farmington Hills MI 48334
    ------------------------------

    19th Annual CEI Virtual Conference


  • 6.  RE: HIPAA and Referral List

    Posted 09-29-2020 11:47 AM
    These are the questions I would pose:

    1. What is the purpose of the report?
    2. Who needs to see it?
    3. Is all the information required to serve the purpose or is it just for convenience?

    I would suspect that the "entire" organization would not need to see this report and would considered in a HIPAA violation as the minimum necessary rule may have been violated. However, if the communication remained within the organization, it would probably not reach the standard of a Breach.

    Ask the individual to stop sending the report ASAP until your questions are answered and then develop a better plan to disseminate the information. Consider an education session with the Marketing team in general to go over the do's and don'ts.

    ------------------------------
    Nancy O'Neill, RN, CHC, CHPC
    Sr. Director, Corporate Compliance/Privacy Officer
    Tampa General Hospital
    Tampa, FL
    noneill@tgh.org
    Responses are my own and not the view of my organization.
    ------------------------------

    19th Annual CEI Virtual Conference