So Much for Medical Privacy

[Koolau]

Just got back from the Doc's office. Each time one visits this particular clinic, the staff "extracts" all the same info (medical insurance cards, phone, address, blah, blah, and etc.) I had been two weeks ago and went through the same "inquisition" with the exact same staff for the exact same doctor. But that's not what I want to talk about. Following the 15 minutes of wasted time (theirs and mine) I was given a 3 page form which contained all of my info, including meds and significant past procedures and conditions. I was supposed to review it and then keep or destroy at my will if it was all correct. Since I had just reviewed the same info 2 weeks prior, I asked the staff to shred it. Apparently, they did not. As I was waiting for my appointment, an old buddy from my previous w*rk came in just after I did. He went through the same process and was then handed the form to review. We sat and talked for perhaps 15 minutes when I accidentally glanced at his 3 page form. Unfortunately, it was not his - it was mine. I mentioned it to him and he went back to the staff who eventually found his form in the regular trash. I assume that's where mine went upon its return.

At another doctor I see on a regular basis, they have a fairly similar procedure of inquisition followed by a review form. BUT on their form, the SS number is listed. I once asked why and they said it was needed for billing. I asked if the doctor or his staff actually had to input my SS each time or didn't their computer have that number already (since it is capable of printing it out correctly each time.)? They shrugged. I noticed shortly thereafter that the forms, which are given to the doctor's nurse or other assistant upon being called back to the office ALL end up in an (for want of a better term) "in-out" box. The office area is often unattended and I considered simply confiscating the few dozen forms from the "box" - just to see if it got their attention. I'm sure that would have been illegal though it would be easy to avoid detection. I did NOT ever do it (though I could have at the time of any doctor visit.)

At another clinic I used to visit, the procedure included a photo copy of DL and all insurance cards (including Medicare.) Once again, the resulting copies were placed in a similar "box" where pretty much ANYONE - not just other clients - could have access. No security of any kind was in place other than having staff behind the counter most (not all) of the time.

I have pushed back on all of these situations to one extent or another - going so far as to sit down with one of the clinic's administrators - that time about the SSN being prominently displayed on every form. I have been totally rebuffed and pretty much told (in a nice way) "If you don't like it, go someplace else." Currently, I black out my SSN on that one form mentioned above. No problem after doing this for several years now - sure enough, I DO actually get billed - EVERY time. Go figure.

I bring all this up because, clearly, none of these places takes medical privacy seriously. The 3 clinics are spread across the country, so this is not "isolated" apparently. Perhaps more importantly, with the info contained on these forms, ID theft would be child's play for anyone with the nerve to steal a hand full of forms occasionally. SSN, DOB, Address, Age, Full Name, Insurance info, etc. are all available on the forms in one convenient "ID-Theft" package. I mentioned this to one clinic and still got "the shrug". I am seriously considering making a "big deal" out of the most recent event in which my info was handed to someone else. I think I would have a case, but don't know if it would be worth the effort nor whether it would actually change behavior - even at THAT clinic.

Curious if others have "stories" to tell or advice on how such routine privacy breaches should be handled. I'm certain that YMMV.

 

[travelover]

It is kind of shocking. A few years ago I had to drop off a form for a judges signature. There was a drop box outside his office which was accessible to anyone that walked off the street. That box was full of the most intimate documents one could imagine, all in a pile for any one to read, copy or even just take.

 

[TrvlBug]

Nowhere as egregious as your experiences, a few years ago I received a call from company X wanting my SSN as my dental office was outsourcing their billing. They stated my company's HR dept would not give them the info so they were calling me for it...huh...did they think I was stupid. Told them to pound sand.

At my next dental appt. the receptionist commented on my refusal to provide the info and seemed surprised at my refusal to do so...told her I don't provide confidential info over the phone to people I don't know. As I was sitting in the waiting area, others overheard this exchange and there were a few chuckles/knowing nods.

Banks are just as bad. Due to mail theft in my area I always have new checks delivered to the bank for pickup. My bank no longer does this because the mailman delivers the mail to an unsecure area where anyone can walk by and grab stuff. I suggested they could easily solve this and all I got was a shrug.

 

[Meadbh]

Koolau, this casual attitude to patient privacy is simply unacceptable. If I were you I would complain to the Hawaii Medical Board.

 

[MRG]

When I w*rked I had to take HIPPA training every year. These are serious failures to follow the law. When your information was accidentally given to another patient, the facility was required to report it. I would ask to talk with their HIPPA compliance director to express your concerns. Otherwise, report it yourself to the state board, and find a new facility.

Glad the third time this post didn't cause the application to crash. Recovery doesn't appear to work unless your in full screen mode.

Sent from my SAMSUNG-SGH-I337 using Early Retirement Forum mobile app

 

[Koolau]

I suppose sooner or later the types of privacy breaches we've experienced will "blow up" big time. Sort of like back in the day when medicine bottles and packages (like Tylenol) were not secure (i theorized that possibility long before cyanide was substituted for acetaminophen.) If a huge theft (or number of thefts) is ever traced back to these "shrugged off" practices, then people will get serious about the issue. Until then, as long as ID thieves don't get greedy, there are dozens of small breaches they can exploit which may never be traced back to the culprit. But if I (an "honest" person) can think of this stuff, one would think the low life - er, professional ID thief - could figure a way to steal just enough to make a comfortable living without raising too many eyebrows (or, more importantly, leaving an obvious trail to where info was stolen.)

All of this ignores the "medical' part of the privacy issue. Who wants anyone else to know if you have toe fungus or were ever treated for one of "those" diseases, or had implants or hair transplants, or substance addiction, etc. etc. It's just difficult for me to understand how those in the medical field can be so blaze' about such things. YMMV

 

[Koolau]

Koolau, this casual attitude to patient privacy is simply unacceptable. If I were you I would complain to the Hawaii Medical Board.

Actually, the most recent breach was back on the mainland. I typically spend a couple of months in this location and get some of my medical screening, etc. done at that time. But, the SSN issue did happen to be in Hawaii. I researched it very thoroughly at the time. I found out that I can legally withhold my SSN from almost anyone (banks, gummint agencies not included). So, I don't have to give a clinic my SSN. BUT, they don't have to treat me if I don't. (If the gaters don't getcha, the skeeters will.)

 

[samclem]

The medical privacy issues will be getting worse, not better. In the old days everything was on paper, then we went to electronic recordkeeping that was primarily "in office" to new federal requirements for easy sharing between medical providers. Obviously, all this "freeing up" of medical information can have positive aspects, but medical privacy and data security are not among them.

 

[MRG]

HIPPA regulates Protected Health Information, among other stuff. It includes the 18 items protected for healthcare. Some are more for id theft. Name, SSN......

http://en.m.wikipedia.org/wiki/Protected_health_information

 

[Koolau]

The medical privacy issues will be getting worse, not better. In the old days everything was on paper, then we went to electronic recordkeeping that was primarily "in office" to new federal requirements for easy sharing between medical providers. Obviously, all this "freeing up" of medical information can have positive aspects, but medical privacy and data security are not among them.

How true. At my appointment today, the young lady (mid 40's, heh, heh) giving me the test showed me how to access my OWN data using their (or "some" - I forget) web site. I was not reassured to think that it would be so readily available on line, considering what I had just gone through at the admissions desk. She was so nice I never mentioned my concerns (what could she do?). Still, it's difficult to believe that we as a society have allowed this to happen (in the name of better health care.) So, let me get this straight: The clinic has all of my data out there on a web site, but it still takes 15 minutes at EACH visit just to gather the same info again. What is wrong with this picture? Reminds me of when they told us (all those years ago) about the coming "paperless" record keeping. I never generated so much paper in all my life as when my computer (ca. 1990) crashed. From then on, I made hard copies of EVERYTHING and stuffed them into my desk at w*rk. Saved my bacon more times than I care to recall. Now we're "improving" our medical care by placing everyone's files in a place where any hacker (or gummint agency - can you spell n. s. a. or i. r. s.? - will have access to it.) Yes, yes, I know. I'm a dinosaur. Still, it took a half trillion ton rock from space to kill my "ancestors" off. They must have had something going for them - even if it was only a healthy dose of skepticism and some very think skin. YMMV

 

[Live And Learn]

Ko'olau's Law -

Anything which can be used can be misused. Anything which can be misused will be.

~~~~~~~~~~~~~

Is that signature line new or are you psychic ?

 

[aja8888]

Koolau: I have often dealt with the SS number thing and the thought has crossed my mind as to just making up some random set of numbers and put that down on their form. Kind of like a "Meh" event. (not saying you should do this though)

 

[haha]

Just got back from the Doc's office. Each time one visits this particular clinic, the staff "extracts" all the same info (medical insurance cards, phone, address, blah, blah, and etc.) I had been two weeks ago and went through the same "inquisition" with the exact same staff for the exact same doctor. But that's not what I want to talk about. Following the 15 minutes of wasted time (theirs and mine) I was given a 3 page form which contained all of my info, including meds and significant past procedures and conditions. I was supposed to review it and then keep or destroy at my will if it was all correct. Since I had just reviewed the same info 2 weeks prior, I asked the staff to shred it. Apparently, they did not. As I was waiting for my appointment, an old buddy from my previous w*rk came in just after I did. He went through the same process and was then handed the form to review. We sat and talked for perhaps 15 minutes when I accidentally glanced at his 3 page form. Unfortunately, it was not his - it was mine. I mentioned it to him and he went back to the staff who eventually found his form in the regular trash. I assume that's where mine went upon its return.

At another doctor I see on a regular basis, they have a fairly similar procedure of inquisition followed by a review form. BUT on their form, the SS number is listed. I once asked why and they said it was needed for billing. I asked if the doctor or his staff actually had to input my SS each time or didn't their computer have that number already (since it is capable of printing it out correctly each time.)? They shrugged. I noticed shortly thereafter that the forms, which are given to the doctor's nurse or other assistant upon being called back to the office ALL end up in an (for want of a better term) "in-out" box. The office area is often unattended and I considered simply confiscating the few dozen forms from the "box" - just to see if it got their attention. I'm sure that would have been illegal though it would be easy to avoid detection. I did NOT ever do it (though I could have at the time of any doctor visit.)

At another clinic I used to visit, the procedure included a photo copy of DL and all insurance cards (including Medicare.) Once again, the resulting copies were placed in a similar "box" where pretty much ANYONE - not just other clients - could have access. No security of any kind was in place other than having staff behind the counter most (not all) of the time.

I have pushed back on all of these situations to one extent or another - going so far as to sit down with one of the clinic's administrators - that time about the SSN being prominently displayed on every form. I have been totally rebuffed and pretty much told (in a nice way) "If you don't like it, go someplace else." Currently, I black out my SSN on that one form mentioned above. No problem after doing this for several years now - sure enough, I DO actually get billed - EVERY time. Go figure.

I bring all this up because, clearly, none of these places takes medical privacy seriously. The 3 clinics are spread across the country, so this is not "isolated" apparently. Perhaps more importantly, with the info contained on these forms, ID theft would be child's play for anyone with the nerve to steal a hand full of forms occasionally. SSN, DOB, Address, Age, Full Name, Insurance info, etc. are all available on the forms in one convenient "ID-Theft" package. I mentioned this to one clinic and still got "the shrug". I am seriously considering making a "big deal" out of the most recent event in which my info was handed to someone else. I think I would have a case, but don't know if it would be worth the effort nor whether it would actually change behavior - even at THAT clinic.

Curious if others have "stories" to tell or advice on how such routine privacy breaches should be handled. I'm certain that YMMV.

Medical practices do pretty much whatever they please. The docs have the whip hand.

Ha

 

[Meadbh]

Medical practices do pretty much whatever they please. The docs have the whip hand.

Ha

Ha, I don't know where you got that idea, but I assure you that physicians are bound by the law of the land and by the rules of their professional associations, and may be held to account if they do not follow them.

 

[Bestwifeever]

DH recently had surgery and he finally, he thinks, got the list of medications pared down to the active ones vs. every medication he has ever been prescribed by our drs. I do think electronic records are a great idea for sharing information by medical personnel, but leaving printouts of them where anyone can see/take them, not so great. Our drs' offices had signs up for a while that the electronic records are much safer from theft than than the paper records, which I thought was interesting.

 

[imoldernu]

Big Brother is watching... Big Sister, Big Neighbor, Big Bank, Big FA, Big WalMart, Big Amazon, Big Google, Big Facebook (especially in current news) Big Crooks...

I gave up... my life's an open book. the only salvation is the gold coins buried in a coffee can in my back yard.

Lends new meaning to the word "Security"....

"Depends"

 

[Live And Learn]

I only include the last 4 digits of my SSN when it is asked for. I don't ever remember being questioned on it.

 

[SJ1_]

about 15 yrs ago we were suppose to put our ssn's on our time sheet and leave them out for anyone who wanted to see them. (the in box for the sec)
one day my boss asked me why my ssn changed every pay period so since then I started using the same fake ssn. (this time sheet had nothing to do with payroll, they used it as an identification number)
I have never given my SSN to a Doctor or Dentist always leave it blank. But one time I ended up in the ER and I used the fake on then. the only reason they want it is to collect. Since I payed my bills they will never need my SSN
and if someone sees my personal info. in the trash bag they will get the fake one.

the sad part about your post is the fact that they do not care about your
privacy and this will have no effect on their life but it can financially ruin
yours.

 

[Derslickmeister]

Unfortunately, this is the new normal. It's not just medical privacy, it's privacy period. You can kiss it good bye. The casual attitude you mention has permeated into pretty much all areas of life...

 

[haha]

Ha, I don't know where you got that idea, but I assure you that physicians are bound by the law of the land and by the rules of their professional associations, and may be held to account if they do not follow them.

cLeve+haP67
Then how did OP have the experience he had? I think that the Doc's responsibilities extend to training, supervising, and firing his staff members if they can't do it right. Throwing patient histories into the trash is not doing it right.

The rules of professional associations seem largely created to stem competition. How come if I go into a restaurant I see prices on the menu? My shoe repair guy or dry cleaners post prices. Getting prices out of a doctor or dentist without burning some time and often some money can be impossible.

I know you are a good doctor, and I am not talking about you. But I just had some expensive surgery and I had no idea what it was going to cost until I got my bill yesterday- 4 months after the operation, and 10 months after my first appointment with them. IMO, dentists are worse. They guard their fees as hard as we guarded the Manhattan Project.

Ha

 

[Meadbh]

Then how did OP have the experience he had? I think that the Doc's responsibilities extend to training, supervising, and firing his staff members if they can't do it right. Throwing patient histories into the trash is not doing it right.

I agree with you. That is why Koolau should complain to the relevant regulatory body, which has the power to discipline the physician who is breaking the rules/law. They won't know about it until someone brings it to their attention.

The rules of professional associations seem largely created to stem competition. How come if I go into a restaurant I see prices on the menu? My shoe repair guy or dry cleaners post prices. Getting prices out of a doctor or dentist without burning some time and often some money can be impossible.

I know you are a good doctor, and I am not talking about you. But I just had some expensive surgery and I had no idea what it was going to cost until I got my bill yesterday- 4 months after the operation, and 10 months after my first appointment with them. IMO, dentists are worse. They guard their fees as hard as we guarded the Manhattan Project.

Ha

It would not be appropriate for me to comment on the financing of the US healthcare system,except to note that it does seem strange in a market economy to have this information differential.

 

[Koolau]

Ko'olau's Law -

Anything which can be used can be misused. Anything which can be misused will be.

~~~~~~~~~~~~~

Is that signature line new or are you psychic ?

That tag line is the truest thing I know. I've been using that one for 3 or 4 years. Before that, I used "Murphy was an optimist." YMMV

 

[MRG]

Agree Meadbh,

HIPPA laws provide definition of what is to happen should a breach occur. It included fines and possible litagation. Megacorp's policy, if you caused a violation that resulted in fines, they would back you only if you had followed policy. If you didn't you would be terminated, possibly held accountable for the breach fined, sued.

The OPs claim is a clear violation of HIPPA law. Electronic records are really supposed to be much more secure. I can track everyone that has viewed a medical record, try that with a paper file.

 

[Koolau]

Medical practices do pretty much whatever they please. The docs have the whip hand.

Ha

Oddly enough, the doc I see "just works there." The clinic itself is who I blame. They have come in and "gobbled up" an older clinic and now have a near monopoly on doctors and hospitals in the area. They have the nerve to call themselves "not for profit." I'm sure they have carefully met the legal requirements for that designation, but someone is getting rich from their "business." In today's climate, virtually all docs must combine their practices with other docs or "live" under the umbrella of some greedy entity like the clinic in question. One doc needs almost as much office staff as half a dozen docs combined together. The real pay off is when all the local docs are "owned" by one "not for profit" outfit. The docs don't make as much money as they used to, but someone else handles the paperwork and insulates them from many of the hassles. I see why they do it, but it becomes very impersonal until you step into the doc's exam room. In this case, I love the doc. I just hate the clinic he has been forced to join to stay in business and offer his services. I doubt he has a clue what the "front office" does. He works 10 or 12 hours a day and has to count on the clinic to responsibly handle a lot of the details.

 

[ERhoosier]

Ha, I don't know where you got that idea, but I assure you that physicians are bound by the law of the land and by the rules of their professional associations, and may be held to account if they do not follow them.

And most docs (inc mine of 20+ yrs) are now employees of health care systems who have long since lost the power to run even their own offices

And FWIW- I agree 100% that health care pricing needs to be MUCH more transparent and open, but that prob deserves its own thread.