I wish today's post to be light-hearted, but realize in the end, there may be some lessons learned....be careful. You, too, may become conscious of your own privacy.
My cell phone rang the other day and I answered it "hello." What follows is the gist of the conversation. I could be partially wrong in the exact wording, but the meaning remains the same. I have changed Paul's name to protect the unknowing.
K: Hello
Bob: Hi. I'm calling to speak with K Royal about an emergency room visit to blah blah hospital on this past Saturday on February 8.
(please note - at this point, he has disclosed my protected health information if someone other than me had answered the phone).
K: this is K.
B: Hi, this is Bob, an RN at blah blah hospital. Before I go any further, I need to confirm your identity to maintain confidentiality. What is your date of birth?
K: (really?! you've already blown it, mister) Hi Bob, can you confirm your identity to me before I provide you with my date of birth?
B: Uh, no.
K: So there is nothing you can do, at all, to prove you are calling from the hospital? (I was expecting him to say - sure, call the hospital and ask for me or my extension)
B: No. can't think of anything. I just want your date of birth.
K: Okay, let's try this - tell me if you are calling to survey me on how well your service was or if you want to discuss something of a medical nature.
B: Ma'am, I can't tell you that. It violates HIPAA.
K: Actually, it does not. I am not asking you to give me any personal or protected information. I am just asking for the general nature of your call.
B: Ma'am that does violate HIPAA. HIPAA won't let me tell you the purpose of my call.
K: Bob, I am a privacy attorney and very familiar with HIPAA, I can assure you that it does not. How about this...are you calling to survey me about your service? cause if you are, it was fabulous and I felt everything went smoothly.
B: Ma'am, I cannot answer that question because it would violate HIPAA. And if you won't give me your date of birth, we seem to have a problem. I know HIPAA very well - and it won't let me continue without it.
K: Bob, I actually seem to know HIPAA better than you do ... at least in this instance ... because HIPAA would not stop you from answering that question.
B: So what do you want to do?
K: I guess we're at an impasse, Bob. You cannot verify who you are or where you are calling from, you want me to provide you with even further personal information, and you won't tell me the purpose of your call. Sooooo, I think we're done here - and I truly hope you were not calling to tell me something popped up on the tests and I am dying. Feel free to call me back when you either learn more about what you can say under HIPAA or can provide verification of who you are. Have a good afternoon. Bye bye.
I called the privacy officer and left a message to call me. Nothing.
So what did we learn here (other than stupid stuff like this brings out my snarky side)?
1) It is a HIPAA violation for a covered entity to give out information before verifying the patient's identity - as in his opening statement.
2) When people ask for personal information, verify who they are.
3) Not all health care personnel in the US really know and understand HIPAA rules.
4) Patients need to be vigilant about their health care AND their personal information.
ah ha - someone else called from the hospital today. Identified herself and provided a call back number, as well as indicated she was calling to provide lab results. I chose to verify my identity, explained what happened the last call, and learned that I need to go on antibiotics for an infection. Now see, with lupus, an infection, however minor at the onset, could kill me. So I suppose I was trying to create a self-fulfilling prophecy when I snarked that I hope he wasn't calling to let me know I was dying. whew.
ReplyDelete