Recycled Medical Records Used As Scrap Paper At Elementary School 119
Parents with students at Hale Elementary School in Minneapolis have found something interesting on the back of their children's pictures hanging on the fridge, detailed medical information. From the article: "Jennifer Kane was tidying her dining room when she found the drawing by her daughter, Keely, who goes to Hale Elementary School. On the back of the paper was the name, birth date and detailed medical information for a 24-year-old St. Paul woman named Paula White. 'The more I read it, the more alarmed I became about the amount of information I had about this person,' said Kane." The security lapse has been blamed on a paralegal donating the paper to the school.
First medical record post! (Score:5, Funny)
Re: (Score:2)
I had a similar issue once.
I was going through my parents' basement, and there were university info fill out things (SSN was still student ID at the time) that had my art on the other side.
I was amused, as it was a pretty complete set of identity, and clearly from before it really mattered.
Re: (Score:2)
WAH! I'm stupid! I'm stupid! I'm stupider than you! I'm stupider than you in every way!
Your lyrics lack subtlety. You can't just have your characters announce how they feel! That makes me feel angry!
HIPAA fail (Score:5, Interesting)
Re:HIPAA fail (Score:5, Informative)
Maybe not... The law firm is probably not a HIPAA covered agency. If the law firm got the records because their client was a covered entity, they might be in trouble under HIPAA. If they got the records because they were suing a covered entity, they probably aren't in trouble under HIPAA. They'd still be in trouble for disclosing private information, though.
Here's a writeup [medscape.com].
Re: (Score:1)
Re: (Score:2)
Probably just a lawsuit for negligence under one of the more broad and generic privacy laws?
Re: (Score:2)
Isn't violation of attorney-client privilege kind of a big deal?
Re:HIPAA fail (Score:5, Informative)
There is no maybe about it. If the law firm is representing a covered entity then they have to comply with HIPAA regulations. This has been the case since February 17, 2010.
You are also right on if the lawyer was not representing a covered entity. If they had acquired the information while representing a client bringing a lawsuit against a hospital then they aren't covered by HIPAA.
Re: (Score:3)
"You are also right on if the lawyer was not representing a covered entity. If they had acquired the information while representing a client bringing a lawsuit against a hospital then they aren't covered by HIPAA."
That seems rather a giant loophole. You mean if I sue a medical center and get medical records, I can do whatever the heck I want with them? That doesn't seem like it could possibly be right.
Wouldn't the court put you under some sort of non-disclosure order, if nothing else, if the court gives you
Re:HIPAA fail (Score:5, Insightful)
You aren't going to be able to sue a medical center and get all medical records for all patients. It's unlikely that you would get any records other than your own health records.
What happened here is a pretty clear chain of events as to how it happened.
Here's the facts. Many (exact number unknown) pieces of scrap paper contained medical information. All that information originated from Sawicki and Phelps. Ms. White had hired them after she was in a car accident.
The last fact heavily suggests that these attorneys are personal injury attorneys and possibly medical malpractice attorneys. They are going to need to have the medical records for their clients in order to build a case. This leads me to believe that all medical information disclosed by them were all clients of the law firm seeking restitution for injuries sustained.
It's really not even a loophole at all. It's a possible consequence of giving your medical information to a group not covered by HIPAA.
The only difference between this and giving your medical information to the guy that gets your Starbucks in the morning is that at least lawyers have the bar association and other organizations which may keep them in line regarding private information. That and a lawyer without clients because he keeps giving out their private info would be a lawyer without clients.
Re: (Score:3)
The only difference between this and giving your medical information to the guy that gets your Starbucks in the morning is that at least lawyers have the bar association and other organizations which may keep them in line regarding private information.
Exactly. The story is a bit misleading because it leaves out the fact that either Ms. White picked up the information herself and brought it to the attorney's office or signed a document giving them full permission to obtain any medical records necessary for her personal injury case. Either way she gave them permission to have those records.
However HIPAA still applies to attorneys. [wachler.com] Just because she handed those records to the attorney doesn't mean he gets to show them to the world, in fact that's exac
Re:HIPAA fail (Score:4, Informative)
HIPAA only covers medical providers, health insurance plans, and medical clearinghouses (whatever those are). It is "extended" to cover business associates with which covered entities engage for work assuming the business associate has adequate protections to safeguard the PHI and they won't misuse it. The business associate label just allows a covered entity to share the PHI without seeking the patient's permission.
A lawyer representing a hospital during a medical malpractice case would be considered a business associate. If a hospital wants to store backup tapes that contain PHI with Iron Mountain, then Iron Mountain is considered a business associate and must meet all the regulations of HIPAA.
A lawyer representing a client who is suing a hospital for medical malpractice is not representing a covered entity and consequently not required to follow HIPAA regulations.
If HIPAA was violated in this scenario then the hospital did so by releasing the records to the law firm but I highly doubt that the hospital released the records to the law firm without the patient's permission. The Bar Association or other entities may have something to say but a violation of HIPAA this is not.
Re: (Score:2)
Re: (Score:2)
And if you read your link, you would read the part about business associates having direct liability as of February 17, 2010. Your link validates all my statements, assuming you know what the lingo means.
Business Associate: A business which provides a service on behalf of a covered entity that can be provided access to PHI without requiring a patient's permission.
PHI: Personal Health Information
Covered Entity: A business entity that is directly covered by HIPAA. These are medical practitioners, health care
Re:HIPAA fail (Score:5, Insightful)
Really? That's somewhat appalling ... so the easiest way to sidestep these regulations is to give it to someone who isn't covered by them?
I realize that's a gross simplification, but I should think that getting information covered under such a law would extend obligations to you. This information is covered under HIPAA ... you've been given this information ... therefore you have obligations under HIPAA.
I mean, it's not like someone can give me Classified information and suddenly I'm free to do with it as I please.
Sadly, I fear my version is probably more abstract and less likely to be that way in practice.
Re:HIPAA fail (Score:5, Informative)
I don't think you understand the purpose of HIPAA.
HIPAA is designed to dictate both how covered entities that can collect your PHI have to handle your PHI but mostly it's to cover the instances under which a covered entity can share your PHI with third parties without your permission with all other cases requiring your permission.
There is no way for a covered entity (medical provider) to sidestep HIPAA by giving it to some 3rd party without first obtaining your permission. If they could give it without permission then the entity receiving the PHI is going to be covered under HIPAA as well either as a covered entity or a business associate.
Re: (Score:2)
Always in the realm of possibility.
But, in the post I replied to:
So, if the law firm got those records because of a legal action, that doesn't necessarily mean they got it with the patient's permission.
To me, the obligation to treat the data as secure patient information can't pos
Re: (Score:2)
A law firm cannot sue a covered entity for medical records. The law firm in question from the article is a personal injury firm. They, without a doubt, made a request to the hospital for the records. The hospital then contacted the firm's client seeking permission to release the PHI. The client gave permission to the hospital and they gave the records to the law firm.
It's either that or the client directly received the PHI from the hospital and then gave them to the law firm.
There are very few instances whe
Comment removed (Score:5, Interesting)
Re: (Score:3)
Maybe not... The law firm is probably not a HIPAA covered agency.
Which leads to an obvious question: why isn't everyone covered by HIPPA? Okay, not everyone would normally have medical records in their possession, and so they wouldn't run afoul of HIPPA, but why should anyone be able to disclose medical records to the public without permission of the patient? Seems like a rather giant loophole.
I can see it now... (Score:4, Funny)
Re:I can see it now... (Score:5, Funny)
"Mommy, whats 'anal hemorrhoids'?"
A much better condition than 'oral hemorrhoids'.
Re: (Score:2)
Re: (Score:1)
We all know about 6 degrees of Kevin Bacon. Introducing: 3 degrees of politics. "Any topic can be connected to petty squabbling about politics in 3 statements".
6 Kevins?
My home town nearly went to zero Kevins back in 1978.
It was a particularly cold winter, and we were already down to 3 Kevins (due to their low popularity at the time).
Kevin Thomas had flown out to be with his son's family for a wedding and got stuck in Boston for a whole week due to the weather. 2 Kevins left.
Kevin Lemmer was rushed to the hospital during my shift. I still remember the call from the EMTs as the ambulance was rushing toward us. "It's Lemmer. He's in bad shape. Drove right into the f
Re:Hip, Hip, Hipaa! (Score:4, Interesting)
Good going! Would HIPPA be violated, or lawyer client privileged be violated in this case?
Probably both, ouch...
Re: (Score:2)
Paralegal? (Score:3)
A paralegal donated the paper? Wow. That is like a sys admin posting a server password on a post-it note on the server rack...
Re: (Score:3)
A paralegal donated the paper? Wow. That is like a sys admin posting a server password on a post-it note on the server rack...
What's wrong with a post-it note? How do you think I'm browsing the Internet bro?
Re: (Score:2)
Re: (Score:1)
A paralegal donated the paper? Wow. That is like a sys admin posting a server password on a post-it note on the server rack...
No, it's like the intern that re-images the compromised computers taking all the password laden Post-It notes from all the monitors in the company and donating them to an area school.
Re: (Score:1)
Re:Paralegal? (Score:5, Insightful)
I can tell you exactly what happened. There were two boxes next to the copier, one which was for the "special needs" children in school, and the other for materials to be shredded. Someone dumped some papers with PII into the "special need" children box when they should have gone into the shred box. Then, more documents without PII were dumped into the "special need" children box. When the school came calling for paper as they do once a month, the paralegal grabbed the "special need" children box and gave it to the school, giving the documents a cursory glance.
More than likely, the arrogant lawyer who will just dump his papers wherever because he's too busy to actually pay attention is the culprit. The poor paralegal will get the shaft, the "special need" children box will get removed, and we will all move on feeling wiser - except the "special need" children, who no longer will get paper either with or without PII.
Re:Hospitals are getting better at privacy (Score:5, Funny)
But now it's passed to 3rd parties AND 3rd graders!
paralegal did not use a paper shredder (Score:2)
Wow just wow did the boss not give her the time to do it But why do they not have a locked bin to drop papers in that a out side place like iron mountain or others to destroy the paper?
HIPPA lolz (Score:1)
But but.. what about HIPPA? it would garentee nothing like this ever happens! .. oh.. what's that... just because someone makes a huge compliance law doesn't prevent basic slip-ups like this?
Re: (Score:2)
Re: (Score:2)
Lawyers who represent covered entities have had to be in compliance with HIPAA regulations since February 17, 2010. They are classified as a business associate of the covered entity and must take steps to protect the information.
Re: (Score:2)
Re: (Score:2)
HIPPA basically means that the medical staff has to get a form signed that says it is OK for them to release your information, thereby giving them a pass as to whatever happens from then on. I am sure that everyone is in compliance with getting the proper forms signed allowing release of information to anyone. You misunderstand if you think HIPPA is about keeping medical information out of the hands of others - it is all about having the proper forms signed allowing medical information to be given out. O
Penalties (Score:1)
Looks like the Hippa laws has 3 tiers of penalties depending on intent of disclosure. The first penalty, $50K fine and possible jail sentence of not more than a year, is for a person knowingly disclosing the information but with no malicious intent. So the people guilty of this law would be the paralegal, Ms. Kane, and possibly the CBS reporter. The medical facility that the paralegal works at probably shares in the blame too. So how many people here will be prosecuted? Probably none.
Of course I don't
Re: (Score:3)
So the people guilty of this law would be the paralegal, Ms. Kane, and possibly the CBS reporter.
No, you're missing the part of HIPAA that spells out who is covered by the regulation. Neither the teacher nor the reporter are bound by HIPAA.
Management needs to be punished (Score:3)
Responsibility for processes that ensure this does not happen is with management. If it happens, then not the paralegal, but his/her manager screwed up and needs to be punished. With power comes responsibility. It is time for the to be reflected in the legal system.
Re: (Score:3)
That will never happen. I know that's what's supposed to happen - but we all know that management will never take any responsibility for anything. They will just pass the buck to some poor para legal who is being paid barely minimum wage every single time.
Re: (Score:2)
I worked as a paralegal while in college. I'll have you know they get paid minimum wage + tips.
Re: (Score:3)
By which you mean they get to, um, service the senior partner's needs in order to retain their position?
Sorry, I'm sure that is libelous and suggests that lawyers are a bunch of miserable, manipulative pricks. That part is merely an opinion and should be stated as such. ;-)
Re: (Score:3)
Sorry, I'm sure that is libelous and suggests that lawyers are a bunch of miserable, manipulative pricks. That part is merely an opinion and should be stated as such. ;-)
What did a bunch of miserable, manipulative pricks ever do to you to imply they are lawyers?
Re: (Score:2)
Well now hang on...
Phelps said the donation was a violation of the firmâ(TM)s privacy policies.
âoeIt was a mistake,â said Phelps. âoeThe employee did not believe there was any personal information on the papers.â
It doesn't sound like the manager was in any way involved in this. It sounds very much to me like the paralegal just took some paper over to the school.
Managers need to be crucified when there is a lapse in policy or reasonable management of staff. But one employee doing som
Sue the law firm. (Score:2)
Makes Sense (Score:5, Funny)
Three decades ago when I was in high school, they loaded our PDP-8's line printer with the the back sides of boring inventory reports from some manufacturing company.
However, now that we don't manufacturer anything in the USA any more, and our entire economy is becoming nothing more than a mix of healthcare providers and consumers, they *have* to use old health records for printer paper in schools. There's nothing else to use.
Re: (Score:1)
If our technology allows our society to survive with fewer and fewer manufacturing jobs, because of technology, shouldn't we try to make a new social model in which people don't need to work so much to get the same things? It's happened before, why can't it happen again?
Re: (Score:2)
Re: (Score:2)
I have at least 3 boxes of old, unused green-bar. will that help?
Re: (Score:2)
only if the perforated feed strips are still there. those make the greatest crafts for the kindergartners.
Re: (Score:2)
> they *have* to use old health records for printer paper in schools. There's nothing else to use.
It's a crazy idea, but I think they could probably buy printer paper and use that.
hysteria about health record security (Score:1)
Re:hysteria about health record security (Score:4, Insightful)
Health records can contain personally identifying information (like SSN/DOB/address) which can be used for ID theft. (As an ID theft victim, trust me when I say this is *NOT* fun to clean up after.) Also, potentially embarrassing information could be revealed that was trusted to remain between doctor and patient. Working in IT in a medical organization, I can attest to the power HIPAA has over our actions. We need to keep it in mind with everything we do. People get fired for violations like looking up someone's records that they didn't have a job-related need to do. It's not a warning not to do it again with repeat offenders getting the boot. It's strike one and you're out. There will be an investigation and people will be fired.
Re: (Score:3)
That is Horrible (Score:2)
Now the kids will see how bad you get f***d when you go to the doctor and will avoid getting proper medical care!
Re: (Score:2)
In addition, teachers are being forced to print/copy more, because they have to 'teach to the test' for all of the NCLB state assessments. there are many other ways to assess learning, but they need recorded documentation, and need to repeat delivery of assessment exercises in the exact form of the big test. (standard test taking practice, been tutoring it for SATs, etc. for years). When you have a predetermined metric, you design to the metric, and in this case that means using more paper.
Nothing Will Happen (Score:2)
FedEx commercial (Score:1)
spoiler (rot13):
Na bssvpr vf erhfvat gur onpxf bs hfrq cncre. Fbzrbar gura nfxf "'Jung'f gur Rkrphgvir pbzcrafngvba yvfg?"
Re:HIPAA uber-violation (Score:5, Insightful)
I am sure the school carefully checked over the scrap paper being donated. Some teacher probably got a box full of paper, took a quick look and was just thankful her funding-starved school got some paper. Otherwise, she'd have had to buy some out of her own paycheck like many teachers do...
Re:HIPAA uber-violation (Score:5, Interesting)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Add to this the fact that in order to get the good courses (and an actual degree), you have to be matriculated (officially enrolled in a degree-granting program), and in order to stay stay matricula
Re: (Score:2)
When working through problems for tests or even scratch paper for homework I'd always raid the recycle bin next to all the campus computers. Full of 1 sided paper that is just tossed.
Sometimes you'll find a bunch of PS errors that printed nothing but glyphs on a 1/2 a ream of paper. Then it's the jackpot. I don't ever remember paying for paper during my undergraduate.
Re: (Score:1)
Someone at Larry Flynt publications should arrange for some "scrap paper" to be donated for the benefit of those poor undereducated students. More likely to get some from BoA though..
Re: (Score:2)
Or to pay the salary of the newest assistant deputy backup vice superintendent...
Re: (Score:3)
Probably somewhere that has color-less money. Our district gets 'tech funding'. We've bought a few advanced projectors on mobile cats, video cameras, and some other things (no iGear, sadly). But, our teachers get a 'paper allotment' and gott forbid if any other money was spent on paper. The PTA gives teachers a small allocation each year for 'supplementary items' for the classroom. We'd get audited if it was suspected the money was getting used for 'primary education', and that includes buying them new pape
Re:HIPAA uber-violation (Score:5, Funny)
We've bought a few advanced projectors on mobile cats...
At my school we had mobile projector cats, too. It was hard to keep those little monsters still through an entire lecture, though. Especially when the teacher pulled out the laser pointer.
Re: (Score:2)
That's the zoom-out feature. They're working on getting it to zoom-in.
Re:HIPAA uber-violation (Score:5, Informative)
Someone should be fired immediately. And was there no one at the school that noticed this?
School teachers are not responsible for HIPAA compliance ;-)
Re: (Score:2, Interesting)
Yeah, but how else are you going to blame this on public employees? You just know it has to be their fault.
Re: (Score:1)
Re: (Score:1)
Haven't you heard? Literacy is a skill that's taught in college [msn.com]. Elementary and High School teachers don't teach it, so they aren't practicing it regularly. The grade school focus is more on tasks like diagnosing ADD [cnn.com].
Re: (Score:2, Interesting)
A) If anyone violated HIPAA, it's the law office, not the school. And whether or not they're in violation of HIPAA specifically depends on how they came upon those records.
B) The paralegal who donated the paper almost certainly will end up losing her job over this. Fortunately for you, we live in a society where people lose their jobs over honest mistakes, since something has to satisfy your misguided rage over something that had no effect on you whatsoever.
C) TFA says this was an afterschool program. I
Re: (Score:1)
I have issue with A and B.
If we have HIPAA in place to protect medical information it shouldn't matter the manner the party that released them came about it. If it was a lawsuit brought by a client of the firm or whatever, there should be no loophole what-so-ever for a violation like this.
As for B the paralegal shouldn't be fired, their head was in the right place trying to help out a local school. Now IF this law firm was working on a case concerning these records at one time, then anyone w
Re:HIPAA uber-violation (Score:4, Insightful)
Oh bother. This is a law firm which deals with private information as a business. It's what they do. Every peon (non-lawyer) should always assume that every document is private, and that disclosure could lose them their jobs. They should be told this, but they should also be able to figure it out on their own.
Now there are scenarios (ex:asking permission) where someone else would be at fault. In the general case, though, the paralegal is squarely at fault. I don't want to hire a lawyer who employs that paralegal... thus one can hardly blame the law firm for not wanting to employ him/her any further.
Re: (Score:2)
Someone should be fired immediately. And was there no one at the school that noticed this?
Someone at the hospital should be fired immediately.
I have experience handling medical data, and I have seen how aggressive HIPAA violations are pursued. The slightest mistake can result in fines that are so large that the parent company HAS closed down entire branches only due to some moron's mistake. And although I wont say names, I'm talking about one LARGE company with money to bribe senators and push laws. Yet they never get to avoid repercusions of HIPAA violations.
The hospital in responsible for this
Re: (Score:2)
So.... you're ignoring that a person can give permission for non-covered entities to have access to that PHI. The sort of permission that would have to be granted to a law firm when they are pursuing a personal injury case for a client? The exact sort of law firm which is the subject of the article.
Re: (Score:2)
Not ignored, if that is the case the hospital has to provide record of said permission. It's part of "explain even why paralegals had access to PHI."
Re: (Score:2)
"explain even why paralegals had access to PHI."
Because the patient voluntarily released the information to her own law firm? They're personal injury lawyser representing her. The hospital did nothing wrong, and the law firm no more HIPAA-bound than a random guy you hand your medical records to. Not to say they won't be sued or censured for ordinary mishandling of client records.
Re: (Score:2)