Tuesday, July 13, 2010

HIPAA? We don't need no stinking HIPAA!!!

[Note added later: a downloadable pdf of this post is available.]

From the U's website:

Q: What is HIPAA?

A: HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 and requires us to implement processes with respect to protected health information as well as inform individuals about how we protect their information.

Q: What is confidential information?

A: Confidential information is any health information or billing information that can be linked to an individual. If you know that John Jones was a patient and received treatment for a broken leg, this is confidential information.

Q: Who is responsible for patient privacy?

A: Each one of us.

Q: Am I permitted to look up my sick father’s medical record?

A: No, unless your father has authorized it. While parents usually want family involvement in their treatment, it shouldn't be assumed. Sometimes an individual does not want family members to know the details.

Q: We know that diagnoses and test results are confidential. What other information about a patient is confidential? What about billing records?

A: Essentially any information that is patient-identifiable is confidential and must be protected. Confidential information includes the patient's address, insurance information and their medical information. Only when the patient has agreed may it be used or disclosed for specific purposes

Q: Can a University employee or physician who violates the University’s privacy policy be subject to punishments up to and including firing or termination of work privileges?

A: Yes. HIPAA regulations are federally mandated and we must investigate and appropriately respond to each privacy and security incident.

(But I guess some pigs are more equal than other pigs...)

As one of my friends said about this situation:

"I’m naïve enough to still be stunned by the U’s willingness to look the other way when someone important enough does something wrong. If a U clerk inappropriately accessed someone’s medical records, they’d be out on their ass in a heartbeat."
Another commented:

"I think it's incredible that anyone would be stupid enough to look into those medical records given how much we are all made to think about HIPAA."

Even though I have absolutely no exposure to patient records I am FORCED to take HIPAA training because the powers that be have decided that EVERYONE in the AHC must do this. I once wasted a day trying to get out of it...

So this clown certainly knew better. Besides, he is a doc and knows damned well that this is unethical. And what will the U do about it? A minimum of a serious suspension and DENIAL of DIRECT ACCESS to MEDICAL RECORDS is in order.

From the Strib:

Dr. Mark Schleiss, a prominent University of Minnesota researcher, was not disciplined by the state Board of Medical Practice despite a dozen violations.

... a prominent University of Minnesota researcher, took matters into his own hands. He used his position at the university to peek into the medical records of his wife and two teenage daughters a dozen times in 2008 and 2009, university and other records show.

The state Board of Medical Practice investigated but did not discipline Schleiss, who heads the university's pediatric infectious diseases division. Federal regulators are investigating to see if privacy laws were violated, according to e-mails sent to Collett Schleiss.

In a federal case, a nurse practitioner was barred from using an electronic records system after she was caught viewing her ex-husband's records.

In 2007, Park Nicollet Clinic suspended more than 100 employees for violating federal laws on patient privacy, mostly related to viewing electronic records of relatives or friends. Susan Zwaschka, Park Nicollet's general counsel, said the abuse dropped dramatically once the clinic's aggressive monitoring went public.

"We owe it to the patient to keep their record confidential," Zwaschka said. "It can have a devastating effect."

Collett Schleiss said her ex-husband used medical records to obtain unlisted phone numbers and other information that she said allowed him to harass family members. In December 2008, Mark Schleiss surprised his 15-year-old daughter by showing up at her doctor's appointment, even though she hadn't told him about it, records show. Collett Schleiss said he also bragged about his knowledge of her visits with a therapist, saying those sessions were causing their marital problems.

"His comments kept building up in my head until it dawned on me that he's getting actual information from somewhere," Collett Schleiss said.

Her suspicions were confirmed in June 2009, when she got letters notifying her of the privacy breaches from the university and Fairview Health Services, where family members were treated.

Four months later, Collett was told that Mark's access to medical records would be monitored for six months by the University of Minnesota Physicians**, a group of faculty members who practice at various locations. In an e-mail, the group's compliance officer said Mark Schleiss had been disciplined for his "inappropriate access of medical records," but provided no details.

"He's perfectly free to do it again if he wants because there's no block" on his access, said daughter Katherine Schleiss, who is now 19. "If he had been some nurse who had done this, he would have been fired, but since he's so high up, nobody wanted to take any action against it."

Mary Koppel, a spokeswoman for the University of Minnesota Medical School, declined to comment on the Schleiss case.

Mark Schleiss accessed Collett's records, including her visits to a therapist, about the same time custody issues were being discussed in court.

"I think he was looking for something that would be damaging to me," Collett said.

Collett said family members quit going to counseling after they found out about the breach.

In August 2009, after Collett Schleiss complained to the state and his employer, a package containing five vials filled with an unknown liquid arrived at her Eden Prairie home, according to a police report. Collett Schleiss accused her husband of making terroristic threats, but he was not charged. Mark Schleiss told a police investigator he had mistakenly sent a used envelope containing what he believed was a non-toxic DNA primer.

In November 2009, the medical board said Schleiss was scheduled to visit with a board-approved physician to address the board's "concerns."

"I thought it was extremely inadequate," Collett Schleiss said. "That's basically sitting down to a lecture."

Time yet for a housecleaning at the Academic Health Center and the University of Minnesota Medical School? Time for a full-time medical school dean to ride herd on people like Dr. Schliess? This is far from the first time that an egregious violation of medical ethics has been commmited, and tolerated, by those high up the greasy pole, see for example:

(By the way this guy is still head of a department at the U AND a big wheel in, you guessed it, the **University of Minnesota Physicians.)

If we don't have integrity at the U of M, then what do we have? Dr. Cerra? President Bruininks?


No comments: