Join 3,438 readers in helping fund MetaFilter (Hide)


More about doctors and privacy
October 21, 2009 5:57 AM   Subscribe

What exactly can a doctor's office tell anyone who happens to pick up your phone?

I've recently come across couple of issues with doctor's offices and privacy. The first one was my mental health clinic, who dialed my home phone number. My boyfriend picked up and told them I wasn't home (I wasn't), and my mental health clinic said "well X therapist would like to make an appointment to see her." My bf doesn't live with me and they didn't even ask who he was when they left that message. I called them and said WTF, but they said that by providing them my home number, I authorized them to leave non-specific (i.e. no details about my care) messages there. I had no idea they were allowed to speak to anyone who answered the phone! Are they? (Note, I've since told them they are only allowed to call my cell phone number and they agreed.)

The other issue: My mom went to a specialist and specifically gave them only her cell phone number because she did not want them to give her test results to my dad. Specialist's office requested my mom to get her records from the general practitioner, which she provided. They pulled her home number off the GP's records and called the house. She went in to Specialist's office and explained that she was preparing to separate from my father and she did NOT want them calling him, they said, "well that will be a problem." Two days later they called when she wasn't home and told my dad the test results, when she explicitly told them not to. To me this is even worse than the first case because they did not leave a general message - they gave him test results! After she did not give them permission to and even specifically told them not to! Isn't that illegal?

When you go to a doctor's office, you usually have to fill out a form with the names of the people they may release information to. Why are the doctors' offices, then, not checking these forms and asking who they are speaking to when calling a phone number?
posted by anonymous to Health & Fitness (11 answers total) 4 users marked this as a favorite
 
I think you will find what you're looking for here:

http://www.hhs.gov/ocr/privacy/

and here:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

There are some good quick fact PDF flyers at that one that address your question directly.

As for what you can do about it and what penalties are in place for violation of HIPPA, see here.
posted by zizzle at 6:14 AM on October 21, 2009 [1 favorite]


based on what it says from zizzle's links, i think you and your mom would both well within your rights based on HIPAA to file a complaint. ESPECIALLY your mom. see the bold/italic part below.

i am really sorry that you and your mom are having to deal with these issues.


from that link above ... Who Can Look at and Receive Your Health Information


The law sets rules and limits on who can look at and receive your health information

To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:

For your treatment and care coordination
To pay doctors and hospitals for your health care and to help run their businesses
With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object
To make sure doctors give good care and nursing homes are clean and safe
To protect the public's health, such as by reporting when the flu is in your area
To make required reports to the police, such as reporting gunshot wounds


Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:

Give your information to your employer
Use or share your information for marketing or advertising purposes
Share private notes about your health care
posted by sio42 at 6:39 AM on October 21, 2009


For the first item, they seem to be following the rule. Look at the Q&A part (page 6) of Incidental Uses and Disclosures Under HIPAA (PDF).
A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. . . . However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.
For the second item, the same document says:
In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable.
("Covered entity" in both of these is the medical provider that falls under HIPAA)
posted by smackfu at 6:41 AM on October 21, 2009


When I worked at Memorial Sloan Kettering we were told not to say ANYTHING to anyone other than the patient or authorized caretakers. When we left messages with other people or even on voicemail, we were calling from Firstname Lastname's office and to please call us back. Not Dr. Lastname. Firstname Lastname. They should be saying the absolute bare minimum.

My medical group has automated appointment reminders that leave a message that I have an appointment with Dr. Lastname in Specialty. I hate that.

I can't believe they gave the test results to an unauthorized person over the phone. You should absolutely file a complaint with HIPAA and JCAHO. The HIPAA complaint may come to nothing, but the Joint Commission will come down on them like a ton of bricks.
posted by elsietheeel at 8:02 AM on October 21, 2009


My boyfriend picked up and told them I wasn't home (I wasn't), and my mental health clinic said "well X therapist would like to make an appointment to see her." My bf doesn't live with me and they didn't even ask who he was when they left that message.

I agree that it's not ideal, but are the alternatives any better?

I mean, if they phoned you and said "is that Anonymous?" anyone of the right gender could say "yes, that's me" and get the information.

Only calling cell phones is fine - until someone loses their phone. At least with a landline you know the person you're talking to has access to the patient's home.

And if every phone call started with the caller refusing to identify themselves or what they were calling about, I would think people would mistake them for telemarketing. I mean, if I got an anonymous voicemail asking me to call a number, I would suspect it was some sort of telesales or scam.

Needless to say, things like e-mail and text messages are right out - and if someone is in your house to answer your landline, they could also access your post.

I guess my point is, in the boyfriend case (not the test results case which is IMHO indefensible) the security isn't ideal, but I can't think of a way to improve the security without making the entire process a big hassle.
posted by Mike1024 at 10:10 AM on October 21, 2009


Our office also has a strict policy about phone calls. When calling and reaching someone other that the patient, the message is only: This is SLC Mom at Your Health Care Company in Big City. Please call me back at ##########.

My partner once left a voice mail message: This is So and So from the bone marrow transplant department, please call me back to schedule an appointment. It turned out that the patient had not yet told her teenager that Mom Has Cancer. Fortunately he did not hear the message, but he easily could have. She was furious. Policy is policy and rules are rules, but there is nothing like a hard-core chewing out by a patient to make medical people careful about leaving messages.
posted by SLC Mom at 11:23 AM on October 21, 2009


this is kind of a derail, but i know that when i used to go planned parenthood, the contact info form has something like.... Is there a name you would like us to use when calling and leaving a message?

so that way you could be like "oh yeah, that was sue....from work. she wanted me to cover her shift/come to happy hour/etc."

i don't know if they still do that.

granted, your other security concerns are valid (impersonation, access to email, etc), but i think that if a dr's office calls and aks for you, and someone who is obviously not you because it sounds like a man/woman (whichever you are not), then the dr should not identify themselves. (unless you had specified otherwise it was ok to talk to that person) who cares if it sounds like telemarketing? HIPAA is about privacy, not convenience.

this guy may not have known she was in therapy, maybe she didnt want him to know. the point is, they didn't have to leave a message and they didn't have to say who they were because it wasn't the patient they were talking to.
posted by sio42 at 11:27 AM on October 21, 2009


when i used to go planned parenthood

They still do this. In fact, the intake form specifically asks next to each phone number you give, whether they are allowed to leave a message at that number.

With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object

The key phrase here that is relevant to your mom's case is "unless you object". If you click through to the information for providers on the website linked above, they have a much more comprehensive guide for what a health care provider is and isn't allowed to tell family and friends here. Relevant to your mom's issue, it gives this example:

"A nurse may not discuss a patient’s condition with the patient’s brother after the patient has stated she does not want her family to know about her condition."

On the other hand, the info in that document makes it sound like what happened with YOUR provider on the phone with your boyfriend is not technically illegal, though it was certainly in very poor form. I'm in nursing school right now, and all the training we've received has said that we shouldn't communicate private information with anyone except the patient, without first obtaining express consent from the patient (though obviously this is relaxed if the patient is unconscious). If you write a strongly worded letter to your provider, I think they would make some changes.
posted by vytae at 12:52 PM on October 21, 2009


My 22 year old son and I have the same health care provider. They won't even let me make an appt. for him. They ID me (date of birth, address) when they call. If my sister answered the phone, she could fake it, so it isn't very robust, but better than your and your Mom's experiences.

Complain in writing to the medical practice. If you aren't satisfied, call the state Attorney General's Office and find out who else you should complain to.
posted by theora55 at 1:01 PM on October 21, 2009


this is kind of a derail, but i know that when i used to go planned parenthood, the contact info form has something like.... Is there a name you would like us to use when calling and leaving a message? so that way you could be like "oh yeah, that was sue....from work. she wanted me to cover her shift/come to happy hour/etc." i don't know if they still do that.

Like Vytae said, they still practice this. The local one always uses the name "Betty" even with numbers you authorize - "Hello, this is Betty, call me back at xxx-xxxx." They make sure you know this if you are expecting results.
posted by june made him a gemini at 3:22 PM on October 21, 2009


this is from a friend of mine who works in the medical field (wow, that's vague, huh?)


---------------
yes, that is a nasty hipaa violation. Suing over it I am not sure but a firing perhaps. As always there is the law or regulation and then there is each agency/dr office interpretation of it. It is up to the regulatory body to determine if the interpretation is acceptable. We see it as common sense to generalize in the face of uncertainty but to some without thought, such as the office robot it is just another task completed. Ugh. My dr office always asks, may we leave a message and I say "no". I have found that bigger speciality practices use an automated, password secure system to retrieve results.
-----------------


so definitely you and your mom should file a complaint with all appropriate boards. if no one complains, the powers that be never know that someone is making this kind of mistake.
posted by sio42 at 7:00 AM on October 22, 2009


« Older When I read technical document...   |  Berlin-Filter: mandatory car e... Newer »
This thread is closed to new comments.