A community of 30,000 US Transcriptionist serving Medical Transcription Industry

HIPAA Violation... - sm

Posted: Nov 11, 2013

I posted earlier about a HIPAA violation I believe the company I am subcontracting for is committing. I'm considering filing a complaint, but not sure what this would entail. Before I go too far into it, has anyone filed a complaint against an 'employer,' for lack of a better term, as I am a subcontractor & not an employee? This issue is weighing heavily on my mind. I do have proof of emails sent back and forth that are not encrypted or secured in any way containing reports with the patients' name and in some cases birthdates, along with the doctor/clinic info in the letterhead.

What I Would Do - See Msg Pls

[ In Reply To ..]
Not sure if this was addressed in the post you mention, but did you mention this to the company you are subcontracting for? If not, I would for sure do that first, at least 2 or 3 times, and voice very clearly that you will need to report him/her if they don't comply.

Mind you, you will likely lose your contract with them.

HIPAA violation - Out of here

[ In Reply To ..]
My facility recently had us start encrypting any external e-mail containing patient identifiable information. Just as faxes can end up being sent to the wrong person, which is a HIPAA violation, e-mail can end up being read by the person other than whom it was intended for; any time patient information is compromised it is a HIPAA issue. It really is a good idea to use encrypting software. If you are concerned, you can file a report with Health and Human Services and do it confidentially, or just contact them and ask for advice on how to handle it. I don't think it is a good idea to threaten to report your employer for a violation. They truly may not know that they are committing a breach. There are ways to address it with them without becoming confrontational.

Suggestion - sm

[ In Reply To ..]
http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

http://www.hhs.gov/ocr/privacy/index.html

You, personally, are liable if you are an IC. You cannot hide behind "I did what I was told."

It is your obligation to educate yourself about HIPAA requirements. They are fully explained on the HHS website.

My suggestion is that you go there, learn what you need to do, assess whether you are doing it and what will be required, and inform your MTSO of it.

The circumstances that warrant reporting someone are explained there, as well. Links are provided.

I visited the website... - sm (OP)

[ In Reply To ..]
I've looked at the website mentioned in the reply. I have mentioned on more than 1 occasion that it is against HIPAA to email medical records containing patient information, but have been told not to worry about it. I do realize in doing that emailing, I too am in violation of the HIPAA regulations. I'm prepared to lose the work. I'd hate to think someone was emailing my medical records with no security in place whatsoever.

What I don't understand, and yes I've made the suggestion but I'm the new girl so, is we download our work from an FTP...why can't we upload the completed documents to that site, which is supposed to be secure, and she can retrieve the work from there? I'm not asking for an answer, just thinking out loud!

Clarification - sm

[ In Reply To ..]
It isn't "against HIPAA" to email the documents. It is ill-advised because it is not secure. It leaves the information open to disclosure to individuals who should not have it, i.e., the wrong recipient, criminals, etc. If the information is inappropriately disclosed, a violation has occurred. Not until then, though. You can report potential violations, but I do not believe they will be investigated.

HIPAA - SM

[ In Reply To ..]
What email are you using? Is it a company email? Because you can email stuff if you're using the secure company email.

And like someone else already said, YOU are the one liable for the breaches as an IC so make sure you're ready to CYOA.

I'd contact the office and tell them in researching the HIPAA laws, you feel it's not secure and can no longer send work that way. And yeah, be prepared to lose the work. And that's not to say you shouldn't do it because you'd fear losing the account. It's just the facts of life.

Company email is only secure if it is - secure

[ In Reply To ..]
You cannot assume that email is secure because it is "company email," whatever that is.

Your work email may be secure, but she doesn't work for the same company.

FTP isn't necessarily secure, either.

These are my thoughts - MT

[ In Reply To ..]
You have to remember that YOU were the one who actually did the emailing, so filing a complaint (and any subsequent fines, etc.) is going to fall on YOUR shoulders, not hers. In essence, you will be filing a complaint against yourself.

Instead, my suggestion would be to educate your MTSO on HIPAA requirements, and the next time someone asks you to email patient reports, tell them you cannot do that until you have an encryption program in place.

Not a violation. - CuriousMT

[ In Reply To ..]
I, too, do not believe this to be a violation of HIPAA. I think it's a poor choice for how to communicate things, but as long as the e-mail address you are sending from is your own e-mail and noone else has access and the recipient address is typed correctly and also only viewed by the intended party, they you are fine. This is no different than faxing a referral over from one office to the next, and millions of referrals are generated every day. Same with faxing a prescription to a pharmacy. There is more than 2 bits of PHI on there!

But I do agree that if it were a violation, it would, unfortunately, be on your head, not as much theirs. As an IC, it is your responsibility to have a working knowledge of HIPAA and to follow it, and since you are the one transmitting the report, it would fall to you. But, again, I do not think that just e-mailing a report is against HIPAA.

Alternatively, if you're sending a "Word" document, you could always encrypt that document itself and have the recipient unlock it once they get it. So, if that would make you feel more comfortable, that might be something to look into.

Finally, make SURE you have a confidentiality and privacy statement in the e-mail, and if possible, I would highly suggest saying something like "TO BE OPENED BY XXXXX(MTSO) ONLY! VIOLATION OF FEDERAL LAW IF OPENED BY ANYONE BUT THE INTENDED RECIPIENT!"
I am not a lawyer, but I've had quite a few things sent to me that included wording like that.

Hope this helps.

And P.S. We basically ALL violate HIPAA in one way or another... It sucks, but it happens. You just have to control as much as you can and hope that it's not a big enough infraction to warrant action!

We all basically violate HIPAA??? - Gosh, I hope not

[ In Reply To ..]
I'm pretty sure I basically don't, and neither does anybody I work with.

We take this very seriously.

Those "confidentiality statements" are not going to protect you. It is not a violation of federal law for the recipient to see the contents of the fax or email you negligently sent to him, or for him to know what to do with it or about it. He is not the covered entity or the business associate ... you are. The problem is entirely on YOUR end.

Check the size of those fines, my friend.

Time to educate yourself - sm

[ In Reply To ..]
"I, too, do not believe this to be a violation of HIPAA"

That's just it. HIPAA isn't what you BELIEVE. It's pretty clear. What you BELIEVE is irrelevant.

I don't violate HIPAA and your sweeping generalization is insulting to those of us who have educated ourselves.

Thanks for the thoughtful replies - OP...sm

[ In Reply To ..]
It has become a moot point, as I have decided to take my services elsewhere, not only because of this particular issue, but because of several, several issues that she & I can't seem to come to an agreement on. I appreciate all the replies, though!

As someone who does a MTSO HIPAA - NoOne

[ In Reply To ..]
I deal with HIPAA every single day. It is my job for a larger MTSO. In all honesty if the government knows you have a plan and are working towards becoming 100% compliant then they are going to give you leeway in things like these. In all honesty you need to address this with your supervisor or someone with the company you work for and see what they have to say. The government will eventually come after them if they go too long without working on the issues.

Similar Messages:

Jun 22, 2010

x ...

Jun 26, 2010

So today I get a letter from BCBS of GA. Whoops, they had a security breech on their website. Someone "may have" gotten acccess to my name, SS #, and credit card info. They made "security changes to prevent it from happening again". They are offering me one free year of "identity protection" under Debix Identity Protection Network (has ANYONE out there every heard of this company?). They want me to leap on to the DIPN website and give them all my information so they can prote ...

May 27, 2010

and paid to have them sent to me. The last 20 pages were someone else's medical record. I called the records dept and told the clerk, and she acted like it was no big deal and could I bring them back? At first, I just wanted the extra 5 bux back that I paid for these (5 bux per 20 pages is what they charge). Then I wondered if someone else got a part of MY medical record? She assured me not. This really sounds like a big fat HIPAA violation and I think th ...

May 26, 2013

So I just took a HIPAA course regarding the "new rules" regarding our liabilities and obligations under the law. I often get dictations by doctors who are obviously working at home with their kids running freely (and loudly) through the room, and perhaps a caretaker's voice now and then. If its a HIPAA violation for ME to have other people listening to dictation, isn't the doctor dictating in the presence of others who obviously have no business hearing that dictation a rep ...

Oct 15, 2014

I think this really should be reported and looked into, as long as we're all supposed to be taking HIPAA so seriously. And, no, it doesn't matter what the violation was, I'm not posting it here for everyone to argue over the dirty details. ...

Jan 10, 2015

instead of my own. I called and told the person (it was the exact person that I had send the records) and he acted like it was no big deal -- he just goes, "oh could you bring that back here today?" Of course I will bring them back, but I think it was funny how he made it seem like there was nothing wrong with the scenario. He probably thought I had no idea about HIPAA. ...

Nov 11, 2009

Anyone experiencing HIPAA violation threats of fines/termination? ...

Oct 29, 2009

Hi, I need a quick check on HIPAA rules. With respect to the health care debate, I want to write to my senator, etc., about a situation with a patient I transcribed on. The only info. I intend to give is that the patient was a: Russian immigrant, on welfare and receiving Medicaid benefits--when he should not have. He and his "sponsor(s)" was responsible for his care and living expenses. Further, I transcribed a note in which the doctor said that this patient wanted to re-sched ...

Apr 08, 2010

I received an email too 2 days ago from ccm needing an explanation of why I had a patient's report open when I was not actively transcribing. I know there was a night when I had signed out and I had a window still opened that I did not realize was opened. I had minimized the window in case I needed the document again to refer to. Geesh. sometimes I don't even feel like wasting my time to search old reports. I feel like its constant harrassment lately ...

Dec 22, 2009

I guess its not really something new, but as I was visiting a friend in the hospital yesterday a doc was sitting at the nurse's station just dictating away. I clearly heard patient's name and identifying info and her entire medical history while standing outside the room waiting for nurse's to finish with my friend. ...

Apr 07, 2010

Has anyone else gotten a HIPPA violation for referencing old reports when typing an ESL ? ...

Apr 21, 2010

Hello, One of my friends here at MQ was just put back on 100% QA after one bad audit. Now, due to First Time Right, she will be making 3 cpl less for ALL HER LINES since it all is going to QA - except for that 10% allowance that she has. This is just SO not right!!! How is anyone supposed to live on a pay cut like that? For 8-9 cpl, it's a 30% pay cut! Is this reportable to anyone? (If anyone would care...) What can we do about this - besides quit? ...

Aug 02, 2010

The daughter of a friend of mine works in the clinic that I worked at for 18 years in medical records is known to read charts and then tell others about what she has read. For example, someone who has an STD that she knows, she has told lots of friends about it and I have heard it myself. Does anyone have any idea what happens when you report someone for a violation? I am sure that they take the person's name who is reporting it but can you tell me what else is ...

Feb 04, 2011

My husband went in to have blood tests done for a new blood pressure medication he is on and when he left the house to get an RX filled, the nurse from the doctor's office called to tell him the results of his blood tests. Out of curiosity (testing the HIPAA thing), I asked her if his potassium level was okay and SHE TOLD ME that all his levels were fine except blood sugar was a little high! Not only that, I then asked her what new medication had been prescribed and SHE TOLD ME THAT ALSO! M ...

Nov 23, 2012

I failed to cc a physician they said so I got a 3.0 deduction on a dictation. First one I have ever got. I haven't got an email or anything yet. I just saw it on one of my corrections. I haven't gotten anything from FIESA yet. ...

Jan 03, 2010

Has anyone done the HIPAA training? How was the test? ...

Jan 10, 2010

Could some kindly let me know where the HIPAA test is located in MQCentral. Thanks! ...

Jan 21, 2010

I am trying to get a grasp on understanding HIPAA. Does anyone have any suggestions where I can find "easy-to-understand" HIPAA rules? I have a doct that I type his documents in Word and print them to letterhead for him and then hand-deliver them myself to his office. Is this breaking HIPAA rules? I just need to know what I have to be doing to be HIPAA-compliant and not aware of the facts. Thanks for any input! ...

Jan 28, 2010

if we are to be held responsible for any kind of so-called 'security breach' which can be so easily manipulated to either just get ridf US MTs or at least make life a iving ____ for those of us left in these jobs (for example, if your reports are not 100% perfect - because 98-100% would no longer make sense because an error is an error and all are a security risk and breach - (this is so ridiculous I almost cannot even write it)); however, an MT can and will be fired for such? Im ...

May 29, 2010

I had to take my 18 year old daughter to the ER the other night because she cut her finger (not seriously thank goodness). Being a medical transcriptionist I was rather surprised, she was not given any type of HIPAA form to sign, was not told anything about HIPAA, I thought everyone had to sign one. I always have received a form when I went to the doctor or the hospital but she signed absolutely nothing. Is this something new or is it a HIPAA violation since she did not sign an ...

Jun 16, 2010

Writing to your congressman and complaining to your companies about HIPPA makes you look like an idiot. ...

Feb 28, 2011

I've searched and searched and can't find an answer. Is there a HIPAA rule that dictates how long voice files, particularly voice recognition files, are supposed to be kept in archive? Thanks for any help or pointing me in the right direction ...

Apr 01, 2011

First of all....isn't any medical report being typed out of our country by a another country that isn't required to follow HIPAA regulations.....well a HIPAA violation? Not to mention a potential homeland security risk! Secondly, is anyone else bothered by being instructed to type the patient's name in the body of a report? According to HIPAA regulations, the patient's name is NOT to be typed in the body of any medical report. We are all violating HIPAA by doing this ...

Jun 13, 2012

So, my ex-husband of 15 years called my and my son's doctor's office and gets all of our medical and billing information (son is 21). Takes those documents and files suit in court against me using the documents he obtained fraudulently to claim that I have lied about the cost of our son's medical bills (he has been ordered three times to to pay 50% of those costs which only amount to about $2,800). Y'all get that? He committed fraud in order to prove that I have committ ...

Aug 29, 2013

Feel the need to address certain posts "..and there are no such places as you describe any longer. I have been working for an MTSO that treats their ICs as employees without all the "benefits," but also looking for something else along the way. I have not found ONE...not ONE service that takes true ICs any longer." This is called painting with a very broad brush. How can you claim that as accurate? Saying 'no such places' means you have literally checked into, inquired and e ...

Oct 08, 2013

When a consultant's office calls the referred patient, is that office allowed to say the name of their office? Ex: Got a call from a GI office for my husband. The woman gave her first name and said she needed his medical hx before she could schedule an appointment. I asked what office she was from, and she said she couldn't say because of HIPAA but that it was a referral from his PCP. Is it true that because of HIPAA we can't even know who's ...

Apr 08, 2014

What fines could MTSOs be faced with for HIPAA violations in requiring their employees to use Win XP, which is no longer HIPAA compliant? I wonder if it might be worth an increase in line rate to keep our mouths shut. ;o) ...

Apr 23, 2014

From what I am hearing, if you have an XP computer, you are not HIPAA compliant. It violates regulatory requirements. Then why is MM not supplying us with Windows 7? My XP computer they gave me was freezing up, so they sent me another XP. I asked them why they didn't send me Windows 7 and they said XP was cheaper. So now as of April 8, they are not HIPAA compliant. I would like to know how they get around this,,,,,,having many accounts and still having many employees submitting reports u ...

Jan 27, 2015

I get why they do these webinar things, but honestly, the person narrating sounds like she herself is bored. I try to follow it, take notes, but know deep down that when I do the test very little of it will have been absorbed, so am resigned to taking the test any number of times. It's kind of like watching a weather report you are waiting for, yet then when it comes on you realize you have completely blanked and it's over. I have a real problem focusing on webinars. ...

Dec 23, 2009

sending a copy of the report to the wrong doctor, what about sending all this work offshore? What am I not understanding? If sending a copy to the wrong Dr. Smith constitutes a huge breach of security, then sending people's health records and personal information offshore constitutes a GIGANTIC breach of security. ...