Hi! Thanks for the very interesting question.
I’ve found the following possible instances or sources of complaints
due to the HIPAA regulations policy. I will just cite snippets from
the articles so as to save you time but I highly suggest that you read
them in their entirety so as to get a better coverage.
“Allegations that a covered entity refused to note a request for
correction in a patient's medical record, or did not provide complete
access to a patient's medical records to that patient.”
“Allegations that a covered entity used health information for
marketing purposes without first obtaining the individuals'
authorization when required by the rule. OCR may need to review
information in the marketing department that contains personal health
information, to determine whether a violation has occurred.”
On the disclosure of information to law enforcement agencies:
“However, unless the disclosure is required by some other law, covered
entities should use their professional judgment to decide whether to
disclose information, reflecting their own policies and ethical
principles. In other words, doctors, hospitals, and health plans could
continue to follow their own policies to protect privacy in such
instances.”
“Standards for Privacy of Individually Identifiable Health
Information”
http://www.hipaadvisory.com/regs/finalprivacy/grestrictions.htm
Such problems with law enforcement have already been the subject of
some litigation with this link providing an example.
“In the case, the federal government sought certain hospital pharmacy
records as part of a criminal investigation of a medical doctor. A
magistrate ordered that the records be disclosed but also required
that the federal government first provide notice to each affected
patient in accordance with state privacy laws”
“On appeal, the federal district court said it was not bound by the
state procedural law in a federal criminal prosecution; however, the
court said that despite the inapplicability of state law, federal
courts have acknowledged the importance of protecting patients'
privacy in medical records.”
“HIPAA Regulations Guide Court in Ordering Patient Privacy Notice”
http://www.benefitslink.com/articles/hipaa010618.shtml
The AIS Health website meanwhile has provided the public with a lot of
information regarding HIPAA PHI privacy regulations.
Marketing rules of HIPAA information for example could be a source of
annoyance to the public.
“…doctors and other covered entities may use the PHI to let patients
know about treatment options and alternatives to current treatments
(such as new drugs) without authorization.”
“The patient's written authorization also is not required for
face-to-face communications (between provider and patient, for
example) and any communications that include promotional gifts of
nominal value. Communications related to case management or care
coordination also are not considered marketing.”
“While Good News for Patients, Marketing Rules Still Unclear”
http://www.aishealth.com/Compliance/Hipaa/RPPGoodNews.html
Fax, telephone and email transmissions of information may also be
another source of HIPAA complaint if the standard procedures are not
followed.
Fax:
“It's one of your HIPAA nightmares: The local newspaper's fax number
is one digit off from the fax number of the hospital's medical records
department. When a physician's office manager misdials, a patient's
lab test results are faxed to the newspaper instead of the hospital.
The newspaper tracks down the chain of events and writes an article.
Something just like this happened in real life, and it was
embarrassing for the hospital. But soon it could be a
HIPAA violation.”
“Take These 21 Steps to Protect PHI Transmitted by Fax”
http://www.aishealth.com/Compliance/Hipaa/RMC21Steps.html
------
Email and the Internet:
“E-mail is among the riskiest and potentially most damaging conduits
for PHI. With one click of the "Send" button, e-mail messages are
irretrievably hurled into the cyber-unknown, free to be copied and
re-sent repeatedly (in a matter of seconds) by people from Athens,
Ga., to Athens, Greece. Unlike paper documents, you have no ability
whatsoever to control the flow of e-mail information and ultimately
destroy it.”
“Safeguarding E-Mail PHI May Be Your Toughest Challenge”
http://www.aishealth.com/Compliance/Hipaa/RPPSafeguardingHIPAA.html
In a related article from a different source, hacking of medical
databases could also be a potential problem that HIPAA must resolve.
“How to Meet Tomorrow's Privacy Rules Today - PRIVACY - How to prepare
for evolving security regulations; How health-care CIOs have taken
difficult task and made it look easy”
CIO Magazine
Nov 1,2002
http://www.cio.com/archive/110102/rules.html
--------
Telephone:
“Even in the most heart-wrenching situations, like a parent calling
after a school-bus accident, health information management director
Rebecca Buegel always verifies a caller's identity or right to patient
information. Her first allegiance is to the patient's privacy, and it
just takes a second to make some small effort to try to confirm the
caller's identity and/or right to that PHI. "Just because a caller is
crying doesn't mean we violate someone's right to privacy," says
Buegel, who doubles as privacy officer at Casa Grande Regional Medical
Center. And that's what she emphasizes to her staff and other
employees at the hospital.”
“Strategies to Help Quickly Verify a Caller's Right to PHI”
http://www.aishealth.com/Compliance/Hipaa/RPPStrategies.html
------
The destruction of client records that are not in use should also be
made with care and absolutely erased from any form of storage.
“PHI destruction is an essential part of your HIPAA compliance
program. Doing it effectively requires covered entities to identify
all forms of PHI and ensure they are truly obliterated. You can't
count on shredding unless, for example, you know the material is
definitely shredded, and that no one is sneaking a peek at documents
before they are torn to bits. Just ask the provider that discovered
its shredding company was actually emptying the locked trash bins at
the landfill instead of shredding”
“Identifying and Destroying PHI: Be Sure Shredding, Deleting Are
Effective”
http://www.aishealth.com/Compliance/Hipaa/RPPIdentifyingDestroying.html
Another possible source of complaint is the inclusion of a patient in
the facility directory of the hospital and on the question of who
shall be permitted access to such records. In the case of the HIPAA in
certain cases a “personal representative” can acquire data but only
which is relevant to health matters.
“Patients can tell the hospital to exclude even basic information
about them from the facility directory. According to Section 164.510
of the privacy standard, covered entities must give people the
opportunity to object to the use of their protected health information
in certain circumstances, such as for facility directories, without
their written consent or authorization.”
“However, if another person, like a parent, is considered a "personal
representative" under the privacy standards, the personal
representative can get information about the patient "to the extent
the protected health information is relevant to the health matters"
that the personal representative is authorized to represent the
individual for, says Glover, with Chuhak & Tecson. This may occur with
a legal guardian, who, for example, is a health care decision maker
appointed under a health care power of attorney or, for example,
pursuant to the Illinois Health Care Surrogate Act. You can't verify
this over the phone, he warns.”
In the same article, there might be also confusion as regards to
access by the clergy and the media since the patient must specifically
state that they do not want these groups to have access to their
records.
“HIPAA dictates that clergy members can access directory information
without specific patient names, Glover says. They can just solicit
religious affiliation.”
“HIPAA Raises New Questions About Facility Directories”
http://www.aishealth.com/Compliance/Hipaa/RPPHIPAADir.html
Limits to access to one’s own medical records will probably spark lots
of debate and complaints as shown from this example.
“Although HIPAA gives people a "right of access to inspect and obtain
a copy" of their own protected health information, there are a few
exceptions. For one thing, people can see only their "designated
record set," which is limited, at providers, to medical and billing
records. And HHS excluded several things from the right of access,
including tests that are subject to the Clinical Laboratory
Improvements Amendments. Who Gets the Lab Results?”
“CLIA Labs Don't Have to Provide Patients With Their PHI”
http://www.aishealth.com/Compliance/Hipaa/RPPCLIALabs.html
Employer access to employee information could also be future sources
of complaints and even controversial conflicts.
“It is worth noting that there is no private right of action available
for individuals to sue an employer for HIPAA violations. However,
HIPAA does arguably create a higher standard of care regarding the
proper use of health information and could provide a baseline for
negligent conduct under tort laws.”
“HIPAA will have impact on employers”
http://albany.bizjournals.com/albany/stories/2001/09/24/focus4.html
Other cases that are not tied to privacy but possible conflicts in the
future due to HIPAA new policies could be in medical billing and
workforce classification.
“NCCI Edits: Billing Errors Persist With Component, Mutually Exclusive
Codes”
http://www.aishealth.com/Compliance/ResearchTools/RMCNCCIEdits.html
“New Workforce Distinctions Drive HIPAA Training and Compliance”
http://www.aishealth.com/Compliance/Hipaa/RPPNewWork.html
Search terms used:
HIPAA privacy problems future
I hope these links would help you in your research. Before rating this
answer, please ask for a clarification if you have a question or if
you would need further information.
Thanks for visiting us.
Regards,
Easterangel-ga
Google Answers Researcher |
