CHPC Study Group

PHI?

  • 1.  PHI?

    Posted 11 days ago

    If this email goes into a personal email, with a hospital logo, hospital name, from a hospital email address - is it PHI? Asking for a friend...   :) 


    Please schedule your appointment.

    Dear  First name,

    Breast cancer remains one of the most common cancers

    diagnosed in women. Before symptoms appear, regular

    mammograms are the best tool for early detection. The

    American Cancer Society recommends that mammograms be

    performed on a yearly basis on women 40 and over and

    continued as long as they are in good health. Remember,

    mammograms do not find all cancers and breast self-exams on

    a monthly basis are also recommended.

    We would like all our women patients over 40 current with

    their mammograms. If you have not had a mammogram done

    within the past year, please contact our office for scheduling

    assistance at: number.

    Please accept our apologies if you have received this email in

    error or if you do not need a mammogram.



    ------------------------------
    Misty Booker, CHC, CHPC, OCS
    Knoxville, TN
    ------------------------------
    Certification Disclaimer


  • 2.  RE: PHI?

    Posted 11 days ago
    No, not PHI.

    Here is why I think it is not PHI. There is no health information for the individual the email is addressed to. It is a campaign, mass-produced, email. They probably bought a mailing list and are just blanketing everyone on it. They even apologized if the recipient shouldn't be getting the email. The sender doesn't have any PHI of the person they are sending to and thus haven't included it in the email.

    Some might argue that since the person's first name is on the email that identifies the person (maybe if the name was so unique there were only two people in the world with that name, but how many women are name Mary?). Also some might argue that the phrase "We would like all our women patients over 40..." implies that the individual must be a patient of theirs. Again just an assumption not based on evidence within the email. Again the last sentence, which is an apology in case the person got the email in error or does not need a mammogram, debunks the patient argument. If the individual was a patient they wouldn't have to apologize.

    No PHI. No worries. That's my take on it. It will be interesting seeing arguments to the contrary. Love that compare and contrast.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    Certification Disclaimer


  • 3.  RE: PHI?

    Posted 11 days ago

    I will take the opposite position than Carl, so a little C&C.

    Yes, it is PHI.

    I do not read it as having bought a mailing list, just the hospital sending it to all female patients over 40 and I assume you are talking about an unencrypted email (not using a secure email program). You have the hospital information (name, logo, and email) in the email and use a hospital email address to send (or in the email if sent from a personal account). You have the patient's email address which is one of the 18 identifiers. You have the fact that the recipient is female, over 40, and a patient at the hospital. The first name is not a problem, but it depends on where the recipient lives. Carl is right about the first name if it is the greater LA area or Boise, but how about little Conda, ID? In many of the small towns where I live on rural TX Hill Country, a female over 40 named XXXXXXX could be identified. You also have a medical procedure (mammogram) reference and the information to schedule if needed.

    In my opinion, the email is skirting with containing PHI and while it looks like marketing, it runs very close to be needing the patient's permission to send PHI in an unsecure manner. The question is how many of the 18 identifiers must be present to tie with the fact the individual is a patient of the hospital for it to be PHI?

    This is only my opinion and not that of the organization I work for. I will also admit that when I first read the posting, my thoughts were the same as Carl's. After I thought about it, my answer changed. I am also interested in seeing what others have to say on either position for C&C. I would hate to have a scenario question like this on the test.



    ------------------------------
    Lloyd Hemmert
    Compliance & Ethics Officer
    Hill Country MHDD Centers
    Kerrville,TX
    [lhemmert@hillcountry.org]
    ------------------------------

    Certification Disclaimer


  • 4.  RE: PHI?

    Posted 11 days ago
    Lloyd,
    You presented a nice counter argument. Hopefully those test questions, for those taking the test this year, are a little less in that middle gray area and rest on more solid ground, like how many individuals have to have their PHI breached before you make it to the wall of fame, I mean shame.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    Certification Disclaimer


  • 5.  RE: PHI?

    Posted 11 days ago
    So, I'm thinking about the "our women patients" part also. I feel like the 18 identifiers is pretty simple to define. What defines 'medical' info? The hospital, the physician, the mammogram, etc?

    ------------------------------
    Misty Booker, CHC, CHPC, OCS
    Knoxville, TN
    ------------------------------

    Certification Disclaimer


  • 6.  RE: PHI?

    Posted 11 days ago
    Edited by Carl Russell 11 days ago
    I'm still hung up on the "presumption" that the recipient is a patient. We're guessing.

    If you see a person walk into a hospital, is that evidence that they are a patient? Maybe they are a visitor.
    If a person thanks you for handling a claim so efficiently by posting it on your Facebook page, are they a patient? Maybe they are really thanking you for processing their relative's claim, just not naming the relative.
    If a person finds in their mailbox a letter belonging to their neighbor that is from the local hospital, does that mean they are a patient? That could just be marketing.

    In every case above they just might be patients, and they just as well might not be. I can support a scenario where they are a patient just as I can support a scenario where they are not. In my mind there is just not enough supporting evidence to make a conclusion that the person is a patient, so I wouldn't, especially with that caveat sentence at the end that means if this is a mistake just ignore it.

    Now this whole thing has two possible scenarios. The first is you are asking the question (for your friend) because the hospital wants to know if they goofed. In that case they know for a fact whether or not this was a targeted mailing. We don't have to guess.
    The other scenario is you are asking the question (for your friend) because they received the email and they want to know if their PHI was put at risk. If the mailing was targeted from the hospital database of patients, then maybe so. If it was from some purchased mailing list, probably not, even if your friend did happen to be a patient. The likelihood that some of those on that purchased list are patients certainly isn't zero.

    Personally I believe if you filed a complaint with OCR on this they would laugh at you (behind your back). Then they would do an investigation, cost the hospital millions, and be found innocent in the end. All that you would have accomplished is contributed to raising hospital fees to the public, oh and the side effect of the hospital being hesitant to send out these kinds of emails in the future, thousands of women not being alerted to the need of a mammogram, and many of those dying of cancer, just because you filed a frivolous complaint.

    Just saying....

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    Certification Disclaimer


  • 7.  RE: PHI?

    Posted 11 days ago
    Thanks Carl. I really enjoy this C&C.

    I miss privacy!!

    ------------------------------
    Misty Booker, CHC, CHPC, OCS
    Knoxville, TN
    ------------------------------

    Certification Disclaimer


  • 8.  RE: PHI?

    Posted 11 days ago

    What if we KNOW that the person who received the email is 100% a patient of the particular hospital? And that all emails that go out in this manner, go to people who ARE patients of the hospital?

    Does that change the opinion?



    ------------------------------
    Misty Booker, CHC, CHPC, OCS
    Knoxville, TN
    ------------------------------

    Certification Disclaimer


  • 9.  RE: PHI?

    Posted 11 days ago
    From the outside, someone intercepting the unencrypted email still doesn't know one way or the other if the person is a patient, certainly not for sure. But since your friend knows, they have grounds to complain. It's not that the hospital can't send out add-on information to you (or rather your friend). But we can all agree that announcing to the world that Jane Doe is a patient of ABC Hospital is not proper. The hospital took a risk doing just that by sending out the emails unencrypted. They did the equivalent of using a post card. Still the bad guys don't know if the named people are patients or not, but why tempt fate. The hospital probably should not have done the mailing unencrypted and should be told so. They probably should have put it in an envelope and help support the US Postal Service.

    Does it rise to the level of complaint-worthiness to OCR. Not in my mind. But to complain to the hospital, yes.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    Certification Disclaimer


  • 10.  RE: PHI?

    Posted 8 days ago
    I just wanted to say I believe in the standards of being proactive when it comes to healthcare and therefore side with Carl.  I responded in the CHC study group.  Sometimes in compliance we get too purist on the "is this a HIPAA privacy issue".  Healthcare is in the business of saving lives.  I think we need to be somewhat compassionate in this case.  It the marketing of this email makes 1 women get her mammogram when otherwise she would not, or detects breast cancer in a new patient, then we don't our job. I don't want to get hung up on the ethics - I would give this a pass and move forward - my apologies for the soapbox.  (I work for a hospice organization - eventually all my patients are going to expire.)

    ------------------------------
    Barbara Naimark
    Compliance Manager
    Hospice of the Chesapeake
    Severna Park,MD
    ------------------------------

    Certification Disclaimer


  • 11.  RE: PHI?

    Posted 6 days ago
    Interesting scenario and responses. Here is my 2-cents. In my opinion I believe this was only sent out to patients based off the fact the phrases "please schedule your appointment" and "we would like all our women patients over 40..." were used. However, the only identifying link to a person is the individuals first name. With that being said, I do think this is PHI because it's now associating the patient with a medical facility, but I don't feel that it's OCR reportable. It would be very hard to pinpoint exactly who this individual is without a last name. Since it's a gray area and borderline disclosure, I do feel that the hospital be notified of the error so they can review it to ensure it doesn't happen again.

    ------------------------------
    Jill Volanti
    Director of Compliance
    Mesa,AZ
    ------------------------------

    Certification Disclaimer


  • 12.  RE: PHI?

    Posted 6 days ago
    Well Misty, you got some compare and contrast on this one. Hope we didn't cause more grief than you already had.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    Certification Disclaimer


  • 13.  RE: PHI?

    Posted 6 days ago
    Carl,

    I certainly did and honestly I am thankful!! There is absolutely no more grief caused! :)
    Thank you to everyone who gave honest thoughts!

    ------------------------------
    Misty Booker, CHC, CHPC, OCS
    Knoxville, TN
    ------------------------------

    Certification Disclaimer


  • 14.  RE: PHI?

    Posted 6 days ago

    HI all,
    I love this C&C stuff!
    I saw this post on the other e-group, and agreed with Barbara- then started to doubt myself.

    i'm not sure that i agree it's "marketing" but more of a "population based activity for health education/health promotion or preventive care.
    In these cases, i believe it is allowable under "treatment" and i think, could even be akin to "appointment reminders" which are also allowable via mail, email, etc.

    I always think - HIPAA is not supposed to be a barrier to communication - it's intention as a law is supposed to enhance communication between providers and patients.  This would be one of those cases, as long as it's generic enough that it doesn't give out specific diagnoses or treatment plans!

    Those are my 2 cents--to add to the C and C! 



    ------------------------------
    Marcia Rasch
    Compliance Officer
    HealthSource of Ohio
    Loveland,OH
    ------------------------------

    Certification Disclaimer


  • 15.  RE: PHI?

    Posted 5 days ago

    Marsh,

    That is a good perspective. HIPAA was not originally meant be a barrier. Sometimes we over react in fear of the "just in case" mindset. Which in many instances seems to become a barrier.

    When HIPAA first came about, and there was so much confusion and fear, I remember thinking, "Good grief, we won't even be able to talk to the patients if this keeps up!" Thank goodness it is better than that now, but we still  tend to sometimes error on the side of caution.

    Vicky

     

    Vicky Roe, RN CHC CPMA

    Clinical Auditor

    Southeast Georgia Health System, Inc.

    2415 Parkwood Drive, Brunswick, GA 31520

    Office:  (912) 466-3264   Fax:  (912) 466-7044    Emailvroe@sghs.org

     

    This e-mail and any attachments may contain privileged and confidential information and are for the sole use of the intended recipient. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this in error, please contact the sender by telephone or e-mail immediately and destroy all copies of the original immediately.   "noscramble" means the email is being sent unencrypted

     

     




    Certification Disclaimer


  • 16.  RE: PHI?

    Posted 5 days ago
    Marcia, I like that point of view, enhance communication instead of being a barrier to it.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    Certification Disclaimer