Earlier today I had to go into the local hospital to make a payment on a family account. I presented the receptionist the check and account number, and she started the apparently tedious effort of applying the funds to the account. She then printed out a couple of sheets of paper that included an itemized list of medical services on two accounts that belonged to my wife. She then turned to me and asked that I review the charges to see which account the funds were to be applied to. I identified the account and then she applied the funds.
Sounds simple…But if there are not questions in your mind yet, there should be. No, she never validated who I was. No, she never validated if I was an authorized person to disclose medical data to. Yes, I just walked in off the street, no ID, nothing. No, none of that would have been a problem if all she did was take my check and apply the funds. Yes, it gets worse.
As I was standing there I noticed that they were advertising the opportunity to pay online. I had tried this earlier and learned that in order to sign up for the services one had to go into their office and present yourself. And there I was so I thought why not try. Let’s see what it takes. Here is how that conversation went:
Me: What does it take, what part of my body or how many of my children would be required as payment to sign up for online access?
Hospital: I just need your email address. (with a smile)
Me: Ok, that is great. Here it is. (wrote it down)
Hospital: You know that this access will only be for your personal accounts?
Me: Ok. Can I add the accounts for my other family members, like my wife, kids?
Hospital: No, your wife will have to come in and provide her email address.
Me: Here is her email address.
Hospital: No, sir. I can’t do that. I need her to come in and provide it. You know, HIPAA laws etc. If we took it from you, how do I know that is her email address? There are medical records in there. Anyone could just walk in off the street and provide an email address.
And then I had paused for a moment…
Me: So you are telling me that you just handed me the full itemized list of medical services provided to her, on two separate events, on three printed pages that I am walking out with, without validation of who I was, you didn’t ask for ID or even check whether I was authorized to see it, but I can’t provide you her email address so that I can get online and pay a bill?
Hospital: (silence and a deep stare)
Yep, oops. I guess that is what you call a breach.
Folks, if this is the way you understand HIPAA, the way you implement HIPAA or the way your organization expects you to do HIPAA, please STOP, NOW! This is not what protection clauses in HIPAA were or are supposed to be about.
HIPAA data protections are sometimes cumbersome, I get that. but the controls and rules are not meant to be ridiculously implemented. Before you implement something like this, stop and think about it. How can we prevent stuff like this from happening?
- Ask questions. Question how things are implemented, if anything so you can better understand why it is implemented the way it is.
- Role play it. Have three people involved in the process, the clerk, the customer and an observer. And then allow the role playing to stop and questions or comments to be asked. Go back to suggestion 1 and ask questions.
- Does it pass the sniff test? Sure, that comment is taken and used in so many differing ways. But think about it. Does something seem out of place or odd? Then it probably is so work through the problem.
- White board the process flow. Lots of times seeing the process flow on paper or on a white board will make you think, hmm, we are missing something or better yet, there is too much.
- Don’t develop processes or efforts in a silo. When you develop the processes or actions in a silo, or independently, then you don’t know how they will interact with other, converging processes.
God gave you that grey matter between the ears, so use it – in a common sense manner.