HIPAA?

[HC18]

So on my current rotation, my preceptor asked me to find a patient with a certain disease state and do a case study presentation on it. Is it a violation of HIPAA if I go through charts to find a patient with this disease state, but do not record anything but lab values?

---

Members don't see this ad.

 

[blackwolf2000]

You can present anything you want. PMH, Dx, meds, lab values. Leave the name out of it. Keep it John Doe or use their initials. Say age instead of DOB. HIPPA in its simplest terms mean what you learn in the hospital/clinic/pharmacy, etc STAYS there. So, whatever you read/hear/see does not get repeated outside of institution. There are also regulations of HIPPA that entail computer use. Unless you have a reason to click on that patient, don't do it. Even when I am working and see a name I recognize I don't look at that patient's profile unless I have to for work. Hospitals monitor that as well. We had a technician look at her own electronic record, IT caught it and she got fired. It's okay in your case, you are experiential learning so you have to go through different charts.

Simply, don't be a nosey Nellie and a Billy Blabbermouth and you'll be fine.

 

[npage148]

It is a violation to troll profiles of people you're not actively involved in treating is an HIPAA violation. Otherwise it wouldn't be a violation to look up famous people. Being a academic reason does not negate this unless you have specific language in your privacy documents. Then again it's only a violation of you get caught and many times academics are not overly concerned with "intellectual stifling regulation".

Tell your preceptor you want to run it by the privacy officer first.


And it's not a female hippo

 

[ldiot]

You can present anything you want. PMH, Dx, meds, lab values. Leave the name out of it. Keep it John Doe or use their initials. Say age instead of DOB. HIPPA in its simplest terms mean what you learn in the hospital/clinic/pharmacy, etc STAYS there. So, whatever you read/hear/see does not get repeated outside of institution. There are also regulations of HIPPA that entail computer use. Unless you have a reason to click on that patient, don't do it. Even when I am working and see a name I recognize I don't look at that patient's profile unless I have to for work. Hospitals monitor that as well. We had a technician look at her own electronic record, IT caught it and she got fired. It's okay in your case, you are experiential learning so you have to go through different charts.

Simply, don't be a nosey Nellie and a Billy Blabbermouth and you'll be fine.

Fired for looking up you own profile? I think that hospital needs to look at the big picture and ask themselves what the point of HIPPA is.

 

[npage148]

They probably googled "hippa" and came up empty and they made their own policy

 

[blackwolf2000]

It is a violation to troll profiles of people your not actively involved in treating is an HIPAA violation. Otherwise it wouldn't be a violation to look up famous people. Being a academic reason does not negate this unless you have specific language in your privacy documents. Then again it's only a violation of you get caught and many times academics are not overly concerned with "intellectual stifling regulation".

Tell your preceptor you want to run it by the privacy officer first.


And it's not a female hippo

 

[blackwolf2000]

hahhahahahahahha


wut?

 

[blackwolf2000]

They probably googled "hippa" and came up empty and they made their own policy

no dude, they're aren't playing. Be a pro. They'll pay you like one. Bottom line: who gives a **** what anyone does. just live you're life and be a pharmacist.

 

[confettiflyer]

Uhm...what happened here, haha

 

[Ackj]

Uhm...what happened here, haha

I feel like there were some posts here that got deleted. Certainly seem to be missing something.

 

[npage148]

Literally no idea. I just pointed out their inability to properly spell HIPAA and they popped a gasket. No idea why he needed 3 posts, afaik nothing was deleted. I'd also like to know what the censored words were.

 

[gwarm01]

Bro, please be a pro.

 

[sosoo]

it is literally a hipaa violation to go through patient profiles for your entertainment/research/whatever. if you're not digging through for patient care, that is a privacy violation.. also leaving out names, and DOB does not mean you have removed identifiable info. those charts and numbers are identifiable info..! if your colleagues have enough interest, they can flip through all the patient charts to find out who that sicko is! that interesting HIV and STD guy with those exact numbers? thats him! as such, those exact numbers are identifiable info! and it is a clear violation of hipaa. ....nonetheless, no one will waste time to go after u for that. b/c pretty much all educational facilities does it.

example 1, a pharmacist post on social media about a customer. he did not mention name or DOB. but he mention the circumstances around that customer to make that customer identifiable. he was terminated for hipaa violation.

 

[Old Timer]

Literally no idea. I just pointed out their inability to properly spell HIPAA and they popped a gasket. No idea why he needed 3 posts, afaik nothing was deleted. I'd also like to know what the censored words were.

Some people have drain bamage.

 

[rph3664]

So on my current rotation, my preceptor asked me to find a patient with a certain disease state and do a case study presentation on it. Is it a violation of HIPAA if I go through charts to find a patient with this disease state, but do not record anything but lab values?

HIPAA allows you to access a chart for any information you need to do your job, so if that's all you're doing, the answer is no. That's why the chart exists in the first place.

Good grief, when I was doing rotations in 1994, some of the people in my group were using the patients' full name in their writeups, when it wasn't warranted. Most of us, myself included, used initials and age only. Nowadays, we probably wouldn't even use the initials.

 

[confettiflyer]

Not replying to anyone in particular, but I consider my intern a clinical extender of my services therefore accessing charts and doing whatever it is students do = contributing to the active treatment of this patient, therefore considered healthcare operations and permissible use.

For a recently discharged patient, it gets a little grey, as accessing for academic reasons does not really fall into the healthcare operations exemption, nor is it considered a formal peer review/formal QA meeting. Theoretically, one would be conducting a case study (n = 1) by accessing PHI for this purpose, thus requiring IRB exemption.

However, section 164.501 of HIPAA Privacy Regulations does paint a broad brush as to what falls under "healthcare operations." Since interns are simply pharmacists in training and clinical extenders, I view their accessing of discharged charts within the confines of my rotation to be an exercise in quality assessment and outcomes evaluation without the intent of developing generalized knowledge (important distinction vs. research). Anytime there is patient workup, treatment plans are inevitably included, so using this data, individual prescribers in the health system can be engaged, and so can any pharmacist that approved those orders.


EDIT: Nevermind, I found it. Sec. 164.501, subsection 2, of the HHS Regulations as amended January 2013:

Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:

...conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

And the qualifier here is right from 45 CFR 164.506:

A covered entity may disclose protected health information to another covered entity for certain health care operation activities of the entity that receives the information if:

• Each entity either has or had a relationship with the individual who is the subject of the information, and the protected health information pertains to the relationship; and
• The disclosure is for a quality-related health care operations activity (i.e., the activities listed in paragraphs (1) and (2) of the definition of “health care operations” at 45 CFR 164.501) or for the purpose of health care fraud and abuse detection or compliance. For example: < A health care provider may disclose protected health information to a health plan for the plan’s Health Plan Employer Data and Information Set (HEDIS) purposes, provided that the health plan has or had a relationship with the individual who is the subject of the information.

And you're all welcome.

 

[npage148]

So if a preceptor tells me to look for people that have xxx condition it's carte blanche to look up famous people and aquaitnences under the guise that it is training?

 

[confettiflyer]

So if a preceptor tells me to look for people that have xxx condition it's carte blanche to look up famous people and aquaitnences under the guise that it is training?

See the way you phrased that means that approach is a HIPAA violation - if your intent is to review celebrities/acquaintances under the guise of treatment. On the flip side, if you have a provable chart access history showing you indeed are looking for "propofol" in an emergency department dictation/note and open up Michael Jackson's chart...then that's just happenstance.

It boils down to mens rea and what's provable and what is not. If you're a CNA on the medical-telemetry floor of the hospital opening charts for ICU patients you don't even see, that's obviously a violation; that same CNA knows their recluse friend (or celebrity) has been admitted to the ICU jostles to get transferred to that unit for some operational reason (maybe the bed next door needs a sitter, and this CNA volunteers way too hard) and THEN opens the chart.... the intent is clear (because I wrote this fictional scenario), but upon review, the chart access appears legitimate.

As a student... I can't prove this one, but if your preceptor orders you to open the chart for Britney Spears and check if the antipsychotic medication was administered this morning, but really they had nothing to do with their treatment and just wanted to peek into their chart, who just violated HIPAA? I say the preceptor...it's no different than someone socially engineering a phone call to an outpatient clinic pretending to be a doctor asking for sensitive information and having the patient's name/DOB (the standard way some clinics verify legitimate providers...which is dumb).

And last (I promise this post will end)...as pharmacists, even as clin specs, we often cross-verify medication orders throughout the whole hospital (and at some places, remote institutions). It's much more difficult to prove that an individual was targeting certain charts, given the volume of orders in an institution and the potential that every pharmacist "treats" that patient.

I've worked with night shift pharmacists who, at about 3-4am when it's slow, go through EVERY single patient in the hospital to check for errors and duplications/appropriateness of therapy. That's a legitimate operational use, but if a nefarious individual knew this and was targeting a patient in bed #19 out of a 30 bed unit, they can theoretically cloak themselves under the "operational" disguise and review charts 1-30.

Just...stick to your institution's protocols and procedures, and you'll be fine. It's deviations that get scrutinized.