HIPAA information may not be top-secret

BY CATHY JETT

Chances are good that you’ve signed a HIPAA agreement at the doctor’s office or at your pharmacy.

But, like most people, chances are equally good that you’ve never really read it—or understand what your rights are under the Health Insurance Portability and Accountability Act.

And that’s a shame, said Susan McAndrew, deputy director for health information privacy in the Department of Health and Human Services’ Office of Civil Rights.

“We really do encourage individuals to pay attention to those notices, she said.

Not only do the agreements spell out your rights, but they give you the contact information and procedures to use if you need to exercise them. And you might just need to. McAndrew’s office gets between 7,000 and 8,000 complaints annually about alleged HIPAA violations.

“The most common complaints are allegations that a covered entity has disclosed the individual’s information,” she said. “We also get a number about how electronic information has or has not been secured.”

The Alaska Department of Health and Social Services, for example, recently agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle possible HIPAA violations.

The Office of Civil Rights found evidence that the department did not have adequate safeguard policies and procedures in place after a USB hard drive that may have contained protected information had stolen from the vehicle of an Alaska Department of Health and Social Services employee. The office also found that the department hadn’t implemented sufficient risk management measures, among other failings.

HIPAA, which President Bill Clinton signed into law in 1996, regulates the use and disclosure of Protected Health Information, or PHI, held by what the act terms “covered entities.” These include health care clearinghouses, employer-sponsored health plans, health insurers and medical service providers.

You typically sign HIPAA agreements the first time you see a physician or get a prescription filled at a pharmacy. This allows these entities to do such things as contact your health insurance company so they can get paid. Your pharmacist also might call your doctor if a newly prescribed medication should not be taken with one you’re already using.

Your pharmacy is allowed to use your contact information to let you know about other services it provides. But it can’t sell its mailing lists or give information to a third party so that entity can send you information about its goods and services—unless you sign a separate authorization form.

“You have to specifically advise the individual who you’re giving it to and what you’re sharing,” McAndrew said.

As an example, she said that a pharmaceutical company marketing a new drug that lowers cholesterol might ask physicians for the contact information for patients who could benefit. The physicians would have to contact patients and have them sign an authorization form before they can sell the information to drug maker.

“The takeaway point is that a covered entity is not allowed to sell the contact lists of patients to a third party to use for their commercial purposes without permission,” McAndrew said.

Applying for an individual health insurance, disability or life insurance policy? You’ll be asked to sign a form authorizing those companies to buy the last five years of your prescription history from two companies, MedPoint and Milliman Intelli-Script.

Insurers use that information to figure out such things as whether you have one or more things wrong with you, if they are chronic or will go away, and how regularly you fill your prescriptions.

Their conclusions—accurate or not—help them determine your risk classification, how much to charge you for health insurance—even whether or not to sell you a life insurance policy.

McAndrew recommends asking for a copy of your medical or billing records from your insurer, from MedPoint (at 888/206-0335) and Milliman IntelliScript (877/211-4816). She said a good time to do this would be when you change providers and want to make sure the information the new provider receives is complete or if you have reason to doubt that it is accurate.

“If you see something wrong,” she said, “you can ask for that to be amended.”

Cathy Jett: 540/374-5407

cjett@freelancestar.com

Permalink: http://news.fredericksburg.com/business/2012/08/17/hipaa-information-may-not-be-top-secret/