What to do about a HIPAA violation at my son's pediatrician office
June 19, 2014 6:25 AM   Subscribe

I needed a copy of my son's immunization records for some travel we are planning this summer. I called his pediatrician's office, and they said they'd send them right away. 2 days later an envelope arrived addressed by hand, the home address was correct but the recipient name was wrong. I opened the envelope to find another child's immunization records.

I'm pretty upset by this but I'm not sure if/how to pursue it with the office. We are very happy with the care our son's doctor provides, so we don't really want to leave the practice. I found the OCR portal to file a complaint, but I'm afraid that will cause friction between the Dr. and our family.

I know YANML but does anyone have any experience and/or advice?
posted by askmehow to Law & Government (25 answers total) 1 user marked this as a favorite
Personally, I'd call and talk to the office manager before doing anything else.

I have received another person's faxed medical records when someone misdialed, and all I did was call them to tell them and then shred the records. I think that things are going to go wrong occasionally even with medical records, and the best thing you can do is assume (absent some other evidence of carelessness) that people can self-correct given the information. This could easily be a new staff member, for instance - someone who has fifty million new things to remember and just got flustered and slipped up one time.
posted by Frowner at 6:29 AM on June 19, 2014 [16 favorites]

Call the office, ask to speak to the office manager or equivalent, and tell them, "We appear to have gotten the wrong records. Could you please call Other Family and ask whether they got ours?"

If they react appropriately, then chalk it up to a (probably) harmless mistake. Everybody gets one, right?
posted by Etrigan at 6:30 AM on June 19, 2014 [23 favorites]

The person who put the wrong record in the wrong envelope is probably a low wage office assistant who will lose her/his job if you complain. If I were you I would just call the office and let whoever answers the phone know that you were sent the wrong record. I assume you don't plan to do anything nefarious with that other child's records. Did you send them back? Speaking as a parent and a grandparent I think you're making too much of this.
posted by mareli at 6:30 AM on June 19, 2014 [58 favorites]

If you were generally unhappy with the pediatrician and wanted to cause trouble for them, you could go ahead and file a complaint. But, if you run a stop light or get caught speeding, wouldn't you rather have a warning than a fine? If you're happy with the doctor, bring back the material, ask to speak to the doc or to the office manager, deliver a discreet admonition, and forget it. It's not like they disclosed an STD to the wrong person; it's just an immunization that nearly every kid gets.
posted by beagle at 6:31 AM on June 19, 2014 [6 favorites]

What are you trying to accomplish? Do you want someone to get in trouble, but outside the official complaint process? Do you want the office procedures revised? Do you want an apology?

Personally, I'd just call the office and let them know that I got the wrong records and ask for the correct file. Feel free to mention it to the doctor at your next visit, as well.
posted by Admiral Haddock at 6:31 AM on June 19, 2014 [2 favorites]

Obviously you are concerned about the confidentiality of your sons records but it is a safe assumption that the office doesn't make a habit of intentionally sending confidential patient information to the wrong people. People make mistakes, they are human. I would ask the office if they have your information correctly on file. Try to think of this in context to a time you made a minor mistake at work, we all do.
posted by mrdrummed at 6:31 AM on June 19, 2014 [6 favorites]

I don't think this is a federal case. Yes, it's upsetting when sensitive information is sent to the wrong person, but at the end of the day this was a mistake, not a lapse in HIPAA regulations. It's not like the person who mailed that to you intended to send you the wrong information.

Honest mistakes happen. I'd just call the office, explain what happened and ask for the correct records. I'd ask them to scan the record to me on email, but tell me how blown MY mind was when I needed to get information to my Dentist's office and the office manager said, "We don't have email." WTF?

Again, mistakes happen, that's why pencils have erasers.
posted by Ruthless Bunny at 6:32 AM on June 19, 2014 [1 favorite]

This was a harmless mistake. You could cost someone their job. You could create hours and hours of hassle for people in the office. There's no need to do that.

Call the office, let them know you go the other child's record, offer to send it back, and ask again for your child's record. I'd leave it at that. If you want to make sure the issue is noted, send a letter to your pediatrician or call them. But don't get the authorities involved.
posted by alms at 6:38 AM on June 19, 2014 [2 favorites]

This is a HIPAA violation, yes, but unless it's part of a pattern, it's simply a clerical error rather than some sort of deep infrastructural failing at your doctor's office compromising the privacy of their patients. Going through official channels for this is overkill unless you have a bone to pick with the office. If an official complaint gets filed, they're going to have a big ole headache having to sort this out with whoever it is that enforces HIPAA, possibly pay fines, possibly have to fire employees that are otherwise perfectly worthwhile, etc.

It's within your right to complain, of course -- the law exists for a reason -- but a non-automated, hand-addressed mailing with the wrong kid's records isn't exactly a scandal. It's a fuck-up, and people will fuck up. If you report this to the office, you can be sure whoever did it will get reprimanded, but the office will also be very thankful to you for the consideration to let them handle this internally instead of going off directly to the authorities.
posted by griphus at 6:42 AM on June 19, 2014 [3 favorites]

Thanks for talking me off the cliff everyone.

In this case it was harmless, but my initial reaction was "if this happened once, it must've happened before". Regardless, I called the office and they resent the correct records, and I had already shred the records I received. I'll probably mention it to the Dr. next time we see her.

I certainly don't want to get anyone fired, but I have no idea of the circumstances leading up to this particular incident. The office is aware it happened, and it's up to them to decide if any disciplinary action is required.
posted by askmehow at 6:47 AM on June 19, 2014 [3 favorites]

I agree that it's a clerical error and not on its own any suggestion of an ongoing, serious HIPAA issue. But I do think it's worth calling the office and mentioning it to someone when you request the correct record.

I suggest that as someone who once worked for a research group on a medical issue, where a mix-up like this happened, that we'd never have known about if the person who got the wrong record hadn't called and told us. It was embarrassing that we then had to report our staff member's screw-up to the research ethics committee (who agreed that this stuff happens as a result of clerical error and is not a big deal unless there's an ongoing issue), but it also gave us an opportunity to review our procedures, find some ways to reduce the chance of it happening again, and do some gentle re-training of the clerical staff. Ultimately I think that was a good thing and I was glad the person had told us, so we had a chance at the outset to make sure it really was a one-off, and not a process gap that could have exposed more people to more risk.
posted by Stacey at 6:47 AM on June 19, 2014 [1 favorite]

It's possible that the person you called might be required to mention it to their supervisor or compliance office or something. You did the right thing by simply calling. Let them figure out where to go from here.
posted by bondcliff at 6:53 AM on June 19, 2014

I would not mention this to the doctor. The secretary/assistant knows that she messed up. It's not a big deal.
posted by roomthreeseventeen at 7:26 AM on June 19, 2014 [8 favorites]

This happened to me once: I requested my file from a doctor who worked out of a major hospital and received someone else's file instead. It actually did have a lot of sensitive information: not so much the medical stuff, which I was careful not to read, but it had his social security number and a lot of other financial and veteran-status related stuff on the first page. I called the hospital's HIPAA compliance office. I didn't want anyone to get in trouble, but I did want them to review their procedures and see if anything needed to change. People have a right to medical privacy, and a clerical error that compromises that right doesn't really fall into the category of "no big deal."
posted by ArbitraryAndCapricious at 7:42 AM on June 19, 2014 [1 favorite]

Maybe I'm misunderstanding the situation, but aren't you basically saying you opened someone else's mail here? That mail for someone else was sent to the wrong location, and instead of returning it, you opened an envelope that was addressed to a different person? And you are upset that the contents of an envelope not addressed to you were for someone else?
posted by Jairus at 7:47 AM on June 19, 2014 [21 favorites]

In your follow up, OP, you mention that you plan to discuss this incident with your Dr. the next time you see her. I am not entirely sure that she is the best person to speak to about this matter. Generally clinics and even healthcare providers in private practices have office managers who run the business side of things. It seems to me as though the office manager would be the person to discuss this matter with if you decided to escalate the situation.

Of course, if it is a small practice that involves only the Dr. and office manager so that the office manager was the person who made the mistake, the Dr. might be the appropriate person to talk to about the matter.

I agree with the other posters and think that this matter doesn't need to be escalated. But I do think that you might want to rethink the way that you are imagining your Dr.'s role in the practice as you attempt to navigate the healthcare system. Most of the time Drs are focused on providing healthcare and there are others involved in providing other types of services (including medical records managment, billing, etc...)
posted by ASlackerPestersMums at 8:01 AM on June 19, 2014

I'm a HIPAA Security / Privacy Officer for a large mental health organization. This is a low-tier privacy violation. It's not a breach. I would report the violation directly with the officer manager / privacy officer / compliance officer. They should perform an investigation which SHOULD improve procedures but also go on record / reported to stakeholders / board members.

Do you know if they sent your child's information to the wrong address (mixed up records) or they just sent you the wrong record?
posted by bleucube at 8:06 AM on June 19, 2014 [8 favorites]

Call and ask for the HIPAA Privacy Officer, not the office manager. They are required to have one. Tell them you'd like to report an improper disclosure. Give them the details. They are required, by law, to log this improper disclosure and take steps to correct the underlying issue.

If you want to go up the chain to report this, there is only one place to go: The Office of Civil Rights. You can find the complaint form there.
posted by bfranklin at 8:06 AM on June 19, 2014 [3 favorites]

Yes, it's probably a HIPAA violation, but it sounds a lot more like a simple, forgivable clerical error made by a human being, rather than a willful and knowing intent to violate the law. They probably just read the next person's address on the list when writing out the mailing envelope.

Nthing that you should handle this via your pediatrician's office, not via an official complaint... unless you're repeatedly receiving other children's medical records, or you have other reasons to suspect that the pediatrician's office does not respect the privacy of their patients. Particularly if you like the doctor, there's no reason to sour your relationship with him or her by making an official complaint.
posted by tckma at 8:16 AM on June 19, 2014 [1 favorite]

You are not responsible for what happens once the practice is notified -- there are rules they have to follow once they're notified. You won't know whether or not they follow those rules. And it won't matter whether you call up angry or whether you just call to say "hey! Wrong records., I still need th right records." Both scenarios = notification of HIPAA violations.

It was likely an honest mistake, rather than systemic.the family whose records you got will be notified of the breach, and it's not necessarily true that someone will lose their job.
posted by vitabellosi at 9:12 AM on June 19, 2014 [1 favorite]

Call and ask for the HIPAA Privacy Officer, not the office manager. They are required to have one. Tell them you'd like to report an improper disclosure. Give them the details. They are required, by law, to log this improper disclosure and take steps to correct the underlying issue.

This is the correct answer. This will allow review of procedure and if there is some substandard or outdated practice that would cause repeated violations, it may be discovered and changed. That's what the HIPAA Privacy Officer is there for. They want to know about these instances. So protections can be put in place, workflows can be modified, vendors can be updated, or security holes can be patched.
posted by cashman at 9:21 AM on June 19, 2014 [1 favorite]

I *would* mention it to the doctor. As someone who has family that runs medical practices, the truth is they would really like to know about this stuff. Perhaps the Doctor will hear and create a more robust system to prevent this happening again.

But unless you get kicks out of punishing people for mistakes, don't take it formal.
posted by jjmoney at 9:33 AM on June 19, 2014

It's summer camp season. Everyone and their brother are requesting immunization records, camp physicals, etc. For pediatricians, this time of year and the end of August are like April 1-14 for accountants. The office probably had a huge pile of physical forms and immunization records that needed to go out and the clerk who was stuffing the envelopes mixed up the envelopes--you said it was hand addressed.

That said, there are certainly things they could do to mitigate this like print labels, use forms that have the address on them so you can use a window envelope, etc. So I'd mention it to someone--the doctor or the office manager.
posted by The Elusive Architeuthis at 9:52 AM on June 19, 2014

BTW they may be required to have a HIPAA Privacy Officer - but depending on the size of the office - it will probably be the office manager. Most organizations do not have a full time compliance, privacy, or security officer... it's just another "hat" that someone else wear's in the organization. Call and ask who the compliance / privacy officer is. Report it to this individual.
posted by bleucube at 10:16 AM on June 19, 2014 [1 favorite]

If you are not satisfied with the outcome of your conversation with the office HIPAA Privacy Officer you can file a complaint with The Joint Commission (or maybe just mention it as an option...). When I worked at a hospital a Joint Commission violation and/or survey was a terrifying occurrence and the internet tells me that is still pretty much the case.
posted by elsietheeel at 4:51 PM on June 19, 2014

« Older Are slow cookers a smart choice for vegetarian...   |   Plus Size, Knit Capri Pants ... Newer »
This thread is closed to new comments.