How Safe Are Your Medical Records? Local Issues Highlight Concerns

Identity theft and medical privacy laws are headline-making issues and valid points of concern with patients and in the medical community. The Health Insurance Portability and Accountability Act of 1996 is federally regulated safeguards and procedures that were established to secure the privacy of patient’s medical records and other personal health information. At its core, HIPAA is designed to protect information that is personally identifiable and health-related, while providing avenues to disclose information needed for patient care. Sometimes, that information is shared between medical facilities or practitioners and, while that is allowable under HIPAA, there are policies in place to keep that sensitive information from falling into the wrong hands.

While breeches that impact more than 500 individuals are made public, there are more than 80,000 complaints filed with the HIPAA division of the Office for Civil Rights/U.S. Department of Health and Human Services. From November 30, 2013 to current date, Tennessee only registered six complaints that impacted more than 500 people. The number of small or individual complaints is a significant portion of the total amount of complaints filed each year, yet those complaints are not made public.

One local couple was on the receiving end of sensitive medical information that was not meant for their viewing, twice in the past six months. Teresa and Randy Walker, of Dandridge, have, on two separate occasions, received medical information faxed to their home regarding people that they have never met, little alone are privy to their sensitive records. Medical information regarding the patients was sent, but that was not all that was included in the misdirected fax. The Walkers also received information that, had it fallen into malicious hands, could have had great financial repercussions. A name and information that could have been used for identity theft were a part of the communication that was meant to be between Tennova Hospital and the Jefferson County Nursing Home, as well as the patient’s private, extensive, medical information. The Walkers received the first misdirected fax a few months ago. Realizing that a mistake had been made, they contacted the parties involved to be sure that the necessary medical information would make it to its intended recipient. After being informed of the misdirected fax, Tennova Hospital requested that the Walkers shred the multi-page report. When they were informed that Randy and Teresa’s shredder was not working, Tennova requested that they drive the information to the hospital, but eventually settled on the Walkers’ sending the paperwork in via regular mail. Later, they were requested to sign a form that they would not misuse the information that they had received. They were told that the breach would have to be reported but, because it was an individual patient, the information regarding any reported complaint was not posted by the Office of Civil Rights/ U.S. Department of Health and Human Services.

The second time that the Walkers received misdirected medical information via fax was on November 2, 2014, when they, this time, received a fax between a local physician and the Jefferson County Nursing Home. Though the information in the fax was patient-related, this time it did not include as much personally identifying information but did have sensitive medical information. The Walkers have discovered that their fax number is similar to that of the Jefferson County Nursing Home, however, HIPAA has guidelines in place to catch dialing mistakes and prevent sensitive medical information from getting into the wrong hands, if it is utilized.

While a misdirected fax is not unusual and it is allowable to fax medical information, under HIPAA guidelines, most medical faxes will come with a disclosure that if the receiver is not the intended recipient they should contact the sender and destroy or return the documents. The disclaimer also prohibits the recipient from using the information on the faxed document, however it is little reassurance to those whose private information falls into the hands of those with criminal intent. In answer to the issues that increased technology has created in regard to privacy of medical records, HIPAA has rolled out the Final Omnibus Rule that will allow for greater accountability for business partners for Health Care Providers and stiffer fines for violations by those providers and their partners.

Teresa Walker stated, “I was concerned that such detailed information could end up at the wrong place. We would never use it, but not everyone would do the right thing. If this can happen, twice with us, it makes me wonder how safe our own or anyone’s private information is.” When asked about the response from the local hospital regarding the incident Walker responded, “I don’t think that they were especially happy that we contacted them when the first fax came in and, in fact, they seemed irritated that it would have to be reported.”

Source: K. Depew, News Director