Can Google Groups be used to discuss patient information with other
doctors and be legally compliant with HIPAA?

Hello Evc,


   No. No one, including doctors, nursess, allied health personnel, or
secretaries can discuss a patient's medical records in a public place.
Even without HIPAA, doctors can not break patient-doctor
confidentiality. If this were to happen, the doctor would be
vulnerable to a lawsuit!

   Medical staff can discuss in open forums, certain aspects of a
case, without revealing personal information about a patient.  For
example: Let's say you have just visited Madagascar, and came home
with a wound, in which a fly has laid it's eggs. (This happens!. Your
doctor could discuss, in a public forum, that s/he was treating a case
of a fly egg infested wound, and how it is being treated. You would
not be named, nor would anything that could identify the case as being
yours. (This is how information can be shared for the benefit of
others.)


"The professional duty of confidentiality covers not only what
patients may reveal to doctors, but also what doctors may
independently conclude or form an opinion about, based on their
EXAMINATION or ASSESSMENT of patients. Confidentiality covers all
medical records (including x-rays, lab-reports, etc.) as well as
communications between patient and doctor, and it generally includes
communications between the patient and other professional staff
working with the doctor."
http://law.enotes.com/everyday-law-encyclopedia/89978


"HIPAA was passed to help protect and safeguard the security and
confidentiality of a person's health information. One part of HIPAA,
the Privacy Rule, aims to keep your medical information private and
prevent unnecessary disclosures of your protected health information
(PHI). That doesn't mean that your doctor can't talk to anyone about
your health information."
http://pediatrics.about.com/cs/pediatrics101/a/hipaa_guide.htm


The duty of confidentiality continues even after patients stop seeing
or being treated by their doctors. Once doctors are under a duty of
confidentiality, they cannot divulge any medical information about
their patients to third persons without patient consent. There are,
however, exceptions to this rule.


"Patient confidentiality, then, is not only a time-honored principle
of medical practice, but indeed, a strong covenant of the ethics of
Hippocrates, inherent to the honorable medical profession.

When President Clinton was asked to release his medical records to the
public during the 1996 re-election campaign, he invoked the privacy of
the patient-doctor relationship and his lawyers refused to do so
(recently it has taken subpoenas and a grave criminal investigation by
the Office of the Independent Counsel before the president surrendered
certain biologic samples and medical information to government
investigators). Americans should be entitled to, and afforded, this
same right of privacy, and should be concerned about confidentiality
for ultimately, as patients, we will all have sensitive medical
information compiled. Yes, we will all have medical charts compiled
documenting details of our medical history, which should only be
inspected by medical personnel to whom explicit written consent has
been given for continuity of medical care, or made accessible to third
parties (including the government) upon written authorization from the
patient - each time information is requested, and delineating the
specific need for the disclosure, as well as outlining the manner in
which the information will be used."
http://www.aapsonline.org/jpands/hacienda/article3.html


"Your doctor, insurance company, and other healthcare providers have
to ask for your written permission before they can release your
personal health information.

This is true unless the release is for the purpose of treatment,
payment, or healthcare operations.4

In the case of sensitive information, like HIV test results or what
you tell a psychiatrist, your written permission is required in most
situations.5

    *
      Giving your permission

Your written permission is called an "authorization." It must state
what information can be released, to whom, and for what purpose. It
must be dated.

You have the right to say no without fearing any kind of pressure or
retaliation. You have the right to change your mind at any time and
take back your written authorization.6

You can also ask your doctor or health plan to limit how they use or
release your information for treatment, payment, or healthcare
operations. But they are not required to agree to your request.7

    *
      Contacting you

You also have the right to ask your doctor or health plan to contact
you only in certain ways or at certain locations. For example, you can
ask your doctor to send reminder notices to you at a certain address.
Or you can ask to be called only at home rather than at work."
http://www.privacy.ca.gov/sheets/cis7english.htm





"HIPAA has a direct impact on mobile computing, specifically in the
following areas where the law outlines the security requirements for
protecting healthcare information and patient records.

o Data security is required to safeguard the confidentiality of
healthcare data and patient records and make available these data only
to authorized healthcare professionals. Elements of the data security
requirements include data integrity and authentication, access
control, user authorization and audit procedures.

o Communication safeguards are also required to prevent unauthorized access to
sensitive healthcare data being transmitted through public or private
networks. IT administrators are required to implement data encryption
and integrity assurance measures, message authentication and access
control."
http://america.renesas.com/media/products/security/x-mobilecard/literature/Backgrounder_-_HIPAA_052704.pdf


More on HIPAA
http://www.soundmedicine.iu.edu/archive/2003/051703.html

I hope this helps you out! Please ask for an Answer Clarification, if
anything is unclear, and allow me to respond, before you rate.

SIncerely, Crabcakes

Search Terms
============
Patient-doctor confidentiality + HIPAA

---

Request for Answer Clarification by evc-ga on 22 Apr 2006 19:36 PDT

Thank you for your thoughtful reply; Perhaps I should clarify further;
As an inpatient physician group we are looking to create a channel of
communication with a group of outpatient physicians to communicate
logistic patient issues such as follow up appointment needs and
medication list requests.  I've created several google groups with
access restricted to physicians only.   Do you feel this would be
appropriate? It would be a private forum restricted only to the
physicians taking part in one's care. Thanks, ES

---

Clarification of Answer by crabcakes-ga on 22 Apr 2006 20:56 PDT

Thank you for your clarification. Your question is a bit different
from the original, which sounded as if it was from a worried patient.
For your benefit and that of researchers that may answer your future
questions, try and provide as many details as possible - ensuring  you
will get a prompt and accurate answer.

That being said, here is what I found.

"The HIPAA Privacy Rule pertains to three categories of "covered
entities" - health care providers, health plans, and health care
clearinghouses.

   1. Health care providers are covered if they transmit health
information electronically. Even a doctor in a small practice who
keeps only paper records will almost certainly use a billing service
that transmits information electronically. In short, it is nearly
impossible to provide health care today without using electronic means
in some way.

      As long as information is transmitted electronically, "health
care provider" includes your doctors, hospitals, staff involved in
your treatment, laboratories, pharmacists, dentists, and many others
that provide medical, dental, and mental health care or treatment. In
short, a provider is almost anyone in the business of providing health
care who is licensed or regulated by the states.

   2. Health plan means almost anyone that pays for the cost of
medical care. This includes: health insurance companies, HMOs (health
maintenance organizations), group health plans sponsored by your
employer, Medicare and Medicaid, and virtually any other company or
arrangement that pays for your health care.

   3. Health care clearinghouses can be any number of organizations
that work as a go-between for health care providers and health plans.
An example of this would be a billing service that takes information
from a doctor and puts it into a standard coded format. Patients
rarely deal directly with clearinghouses.
http://www.privacyrights.org/fs/fs8a-hipaa.htm#4


"An article about ?Disaster-proofing your EHR? [10] noted that a
third-party, Web- based EHR pilot program in use by a Toledo physician
and 15 others across the nation was the answer to natural calamities.
The project used remote servers to reduce costs for the doctors and to
?ensure data safety.? The program may sound good, but the result of
the program was that patient data was going to a third party server
apparently via the Internet and was under the control of third
parties. Were patients informed of this data transfer? Did they
consent to this data transfer? There are also acute computer security
questions that would need to be asked in any audit of this system."
http://www.worldprivacyforum.org/testimony/NCVHStestimony_092005.html


"    *   04/15/05 California Department of Health Services: 21,600 individuals

      The CDHS confirmed the theft of a laptop computer that contained
personal information May 26. Names, SSNs, and health information for
21,600 recipients of Medi-Cal services was on the laptop. The computer
was stolen from the locked trunk of a car of an employee of a company
that provides data services to the state [17].

 

    * 05/26/05 Duke University Medical Center: 14,000 individuals

      Duke notified patients that a hacker broke into its computer
system and stole 5,500 users' passwords and nearly 9,000 fragments of
Social Security numbers belonging to medical school alumni, medical
center staff, faculty and trainees [18].

 

    * 06/14/05 Medica Health Plans (Minnesota) : 1.2 million individuals

      Hackers stole sensitive and confidential data from Medica?s
computer system two times in January and shut down parts of the system
on four other occasions, exposing members? SSNs, addresses, dates of
birth, employment information, and names of relatives [19]."

" I will touch on specific security risks in networked environments
later on. Here, I would like to note that security breaches will be
part of any digital medical environment because the current medical
system is architected in such a way that breaches are inevitable.
Fundamentally, the modern health care system is an open-loop system,
with a closed-system being the exception rather than the rule.

The healthcare system provides information to a wide range of users
through a complex series of dataflows, and that is not likely to
change. Primary users include information flows to caregivers and
their support system, for example, pharmacies and clinical
laboratories. Secondary users include payors, insurers, government
benefit agencies, accrediting organizations, bureaus of vital
statistics and health departments, scientific researchers, as well as
marketing firms and vendors of health-related products [25].

Given these substantial data flows and all of the increased risks
these flows bring, the loss of privacy and confidentiality due to
security breaches will have to be part of the Committee?s planning as
it considers the NHIN and even the structure of individual EHRs. Going
forward, it will useful to consider industry-wide standards and
regulations governing breaches. These regulations would ideally
include patient notification and private right of action. "
http://www.worldprivacyforum.org/testimony/NCVHStestimony_092005.html

"I don't want you to archive my articles! How can I keep my messages
from being archived on Google Groups?

Any post that contains the text "X-No-Archive" in either the header or
the first line of the message (with no additional text included on
that line) will be displayed on Google Groups for only seven days and
won?t be searchable after it?s removed."
http://groups.google.com/support/bin/answer.py?answer=7918


HIPAA + Electronic Media
http://www.authora.com/healthcare.asp


Hacking 
http://www.gmailforums.com/lofiversion/index.php/t14896.html

http://dmoz.org/Computers/Hacking/Chats_and_Forums/



While I found nothing specific to HIPAA and private
groups/forums/chats, it seem slike risky business discussing patients
by name. Google claims not to archive your group messages, at your
request, but remember that the information hops from compuer to
compuer along its way. I'll admit, I would not want MY name or chart
data being discussed on a forum, private or not. Consider the
possibility of hacking, packet sniffers, password theft, keystroke
loggers, laptop/PC theft, etc.

If this is not the answer you were seeking, please do not rate this
answer, without asking for another clarification, and allowing me to
respond.

Regards, Crabcakes

---

Request for Answer Clarification by evc-ga on 23 Apr 2006 04:06 PDT

Hi Crabcakes, The convenience and accessibility of a web based
solution provides our groups an opportunity to improve patient care in
terms of facilitating communications that would often not occur due to
the logistic difficulties in the traditional methods of communication
(ie telephone and the automated voice attendant and fax
accessibility).  For instance on weekends or late nights when offices
are traditionally closed I can submit,  "Mr. C was discharged on
Saturday and he needs close follow up this week,  I've notified him to
call your office on Monday.  He will also need bloodwork"  or if I see
a patient late at night and he cannot recall the dosages of his
medications I might submit "Mr. C was admitted last night however he
does not recall the dosages of his medications please address"
Aside from the traditional means of communication (ie phone/fax/mail)
is google groups no better or worse than the alternatives out there to
communicate in this way? Do you suggest an alternative? Thanks, ES

---

Request for Answer Clarification by evc-ga on 23 Apr 2006 04:31 PDT

I would like to additionally clarify that the channel of communication
that I'm searching for is not in lieu of the comprehensive traditional
hospital discharge summary which is and will continue to be faxed to
outpatient clinics after hospital discharge.  These traditionally
contain patient sensitive confidential information and again will
continue to be sent via fax/mail. Thanks,  ES

Effort is greatly appreciated with useful links; However I would
appreciate additional commentary on the clarifications...