Team 4 Uncovers HIPAA Records ViolationsPOSTED: 3:46 pm EST February 18,
2008 The following is a transcript of a report by Paul Van Osdol that first aired Feb. 18, 2008, on WTAE Channel 4 Action News at 5 p.m. Anytime you go to the doctor, dentist or hospital, you read or hear or often sign a HIPAA form. It's federal law aimed at preventing your medical records from being disclosed without your approval.Team 4 combed through hundreds of HIPAA complaints and believe it not, no one has been fined.Those documents also reveal the people in charge of enforcing HIPAA laws breached patient confidentiality themselves.Linda Cuttler could not believe it when she found out her husband's Clifton's medical records had been posted on the Internet."Emotionally, it's been draining to make sure not only am I protected but make sure nobody steals his ID and then to worry about my children," she said.But Cuttler is not alone. Dozens of patient names, Social Security numbers, X-rays and other private information were in two presentations that turned up on the Web.The Department of Health and Human Services, which enforces HIPAA, investigated. But according to UPMC privacy officer John Houston, "all privacy rule matters raised by the incident were resolved through the voluntary compliance actions of UPMC."That does not satisfy Cuttler."I want them to know this is a human story," she said. "This is not just a file that's been exposed."Team 4 obtained copies of all HIPAA investigations in western Pennsylvania since the law took effect five years ago. There were 378 complaints with 80 of them resulting in violations and not a single fine or criminal prosecution. Most of the cases were resolved like Cuttler's with voluntary compliance.Nationally, more than 30,000 people have complained to HIPAA without a single fine and only three prosecutions.Despite those numbers, the man who oversees HIPAA enforcement, Health and Human Services Secretary Mike Leavitt, said the system is working well."We worked very hard in identifying those 30,000 cases and then changing behavior so it doesn't happen and people don't get harmed," he said.But Rep. Jason Altmire said the lack of enforcement is a major concern."Patients have an expectation when they visit their health care provider their medical information will be kept private and if that is not happening, there needs to be some punishment on the other end," said Altmire.But nobody was punished when a doctor's office left boxes of patient records in and outside a Dumpster in August in Washington, Pa.And nobody was punished when another medical practice left records in a school recycling Dumpster in East Huntingdon Township in July 2005.The most common HIPAA complaints were cases where doctors talked about patients in public and where medical records ended up in the wrong hands.There were three cases where UPMC faxed patient records to the wrong place. But Houston said the hospital chain does regular HIPAA training for its employees, saying, "We thoroughly investigate all complaints about potential HIPAA issues and take corrective actions when appropriate."Allegheny General Hospital had one case where a patient was given medical records of two other patients. As a result of the investigation, the hospital changed its procedures and sent a letter of apology. Allegheny general declined to comment further.In another case, Butler Medical Associates, which is owned by Butler Health Systems, gave a patient the wrong treatment based on another patient's medical records."When those types of things happen, we really try to learn from that type of infraction and put systems in place so it does not happen again, so it's unfortunate, but we do learn from those experiences," said Butler Health Systems CEO Ken DeFurio. But DeFurio said it's even frustrating to him that there is not tougher enforcement of HIPAA laws."Hospital organizations certainly spend a lot of time and resources in complying with the legislation and law, and you certainly would like to believe it's being enforced," he said.When Team 4 got certain records, the HIPAA enforcement office was supposed to block out the names of all patients who filed the complaints. But when Team 4's Paul Van Osdol examined the records, he found nine cases where patient names were disclosed. So, it appears the people in charge of enforcing the medical privacy law failed to follow their own rules.Teresa Dimichelle is one of those patients whose names were disclosed. She agreed to talk about it.Van Osdol: "The fact that the government failed to protect you, the same government agency that enforces HIPAA laws, what does that tell you?"Dimichelle: "That it's all a joke to them. It was about my health care and the way I was being treated. I didn't think it needed go to whoever, Joe Schmoe down the street.""That's alarming, and you should be commended for doing that request and uncovering that, because that's something we definitely need to address," said Altmire.A spokesman for the Department of Health and Human Services said its disclosure of patient names is not a violation of HIPAA. That's because the government agency is not covered by the HIPAA law.Health and Human Services said recently it would begin issuing fines to those who do violate HIPAA, but it's not clear when that will start.For more information about HIPAA, visit www.HHS.gov. Related Links: More County NewsGet RSS | E-Mail Alerts Copyright 2008 by ThePittsburghChannel. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. |
| ||||||||
   |
| |||||||
