Post by: BillV on July 08, 2009, 09:14:02 AM
Ok, so I've got 0 experience dealing with anything HIPAA and I'm a bit concerned with what my wife just told me. Before I call up the pediatrician's office (in a rage) where we take my daughter, I wanted to run this by the community to make sure my concerns are legit.
So, my wife gets this email today titled "PhoneSlip Login Details" with my daughters name welcoming her to "PhoneSlips"  and providing a username and password (her birthdate!) - FYI, my daughter is 3 y/o and obviously didn't sign-up for anything.
I instructed my wife to grab the headers and forward them to me along with a copy of the email. I was able to identify a small IT services outfit (looks like their market is doctor offices) as the originator of the email.
So, I'm sure you can see where my concern is going at this point. Who is this IT company, why do they have patient information (my daughter) from the doctors office, and why is my doctors office giving this type of information to third-parties??
Yes, it's just a name and a birthdate (that I'm aware of), but it's the principle here. I don't know how this plays in with patient confidentiality and/or HIPAA or any other laws/regs.
Is this something to complain about or am I just over-reacting?
PHONEslips is an easy to use messaging and office information management system for professional offices. It handles phone messages, memos, e-mails, contact database, schedules and to-do lists for everyone in the office.
Title: Re: HIPAA/Regs
Post by: BillV on July 08, 2009, 09:47:26 AM
Looks like I might have a pretty good response from my dad:
HIPAA prevents disclosure of ANY personal infornation that can be tied to a name. The vendor (Phoneslips) can sign a 'Business Associate' agreement to permit transfer of this information with its client (pediatrician) wherein they promise not to disclose the info except for doing business required by their role. I am pretty sure they would have signed this so HIPAA is not likely violated. All new patients sign this same (or similar) agreement when they first visit a new provider; you would have had to do the same. Your gripe might be sending HIPAA protected info over the ethernet without encryption, we use encryption for this, and could be construed to be a violation.
That sound about accurate?
Title: Re: HIPAA/Regs
Post by: hayabusa on July 08, 2009, 10:37:24 AM
Sounds about right, assuming that's all the information they transmitted. The data should not be transmitted in clear text across the public internet, and so that could be considered a possible breach of the HIPAA policies.
Their reasoning for having / transmitting the data might be perfectly legitimate, but they should definitely be more careful in how they use / transmit said data.