HIPAA – Ten Years Old & Still an Issue

Posted by Steve DeGenaro on Thu, Dec 07, 2017 @ 11:36 AM

Fotolia_74966382_XS.jpgConfidentiality, privacy, and the protection of their medical records and information is something that our customer/patients have come to expect.  It’s been over ten years since HIPAA (the Healthcare Insurance Portability & Accountability Act of 1996) went into effect and consumers have had over a decade of education every time they interact with any business related to healthcare. The consumer is a lot more well informed about their rights now compared to a decade ago.  So, it might surprise some of us to find out that in the DME world, there are still instances of security and privacy breeches where medical information is NOT protected.  

Surveyors, who work on the front lines with durable medical equipment companies, can all tell stories about “that time” and cite examples of these breeches—some relatively benign and minor, others egregious.  Let’s run through some examples; hopefully, seeing these examples will be instructive to some and a good reminder to the rest of us!

Case Study 1:

Small town America, the setting is a local coffee shop.  The night before a survey starts.  A surveyor sits at the counter perusing the menu.  A couple at a nearby booth are actively discussing the woman’s work day.  “I would have finished on time today, but we had a call from the hospital and I had to set up an apnea monitor.”  {The surveyor’s radar is now on high alert.  He is, after all, surveying a local DME organization that specializes in pediatric homecare tomorrow.}  The woman goes on to say something to the effect of “You’ll never guess who the baby’s Grandmother is” and goes on to name the person, and point out that the baby had been premature and the Mother of the baby had tested positive for cocaine! 

What’s wrong with this picture?  Not only should the woman be more careful about strangers in the restaurant hearing her conversation, it’s a conversation she shouldn’t be having at all.  This scene is an example of how careful we need to be guarding our conversations.  It also is a remarkable coincidence; that a surveyor would happen to overhear conversation from DME staff in a restaurant the night before a survey took place. 

Case Study 2:

This one has actually happened to many surveyors.  A surveyor is doing a ride along with delivery staff, delivering oxygen cylinders and doing concentrator maintenance in an assisted living facility.  Walking through the door into the building, there’s a group of residents gathered around talking.  Several of them are patients of the DME and know the delivery person.  One of them asks, “How’s old Mike _______?  I heard he’s in the hospital”.  Amiable and friendly (to a fault), the delivery person shoots back that Mike has been transferred off service and is in a skilled nursing facility. 

Case Study 3:

An organization that provides ventilator care and clinical respiratory services is actively weaning a patient off a ventilator.  The patient has three children and only lists one on her release of information form, specifying that her oldest son is the only one who can make medical decisions for her and the only one that should receive any information about her progress or care or equipment. 

During the course of her care, her condition worsens and the weaning order is put on hold.  A family member NOT on the release form calls the company to ask what happened and the RT shares the patient’s condition and progress and explains why the weaning is not being done.  


All of these cases are real examples and all are cases where staff members failed to protect private patient information.  Not only are these cases inconsiderate to the patient and families, they are also clear violations of standards that call for patient privacy.  HQAA has several standards that address the concept of patients’ rights with regards to privacy, including:

  • PRO 3: Requires companies to “maintain secure medical records”.  Companies should have policies and procedures for dealing with the protection of patient records, controlling who at the company has access to the records, how records are stored, and how and when information is disclosed to outside entities. 
  • HR 5: One of the required topics for the annual in-service education program deals with HIPAA, privacy, and security.  Staff must be educated on an annual basis about this important topic.
  • PS 6: Included in the list of information your company must train and teach customers about are your company’s privacy policies.  You should be explaining to all new customers that they have a right to expect privacy for themselves and their medical records, and discussing when and how that information can be shared or disclosed to outside entities. 

Issues like the case studies listed above can easily happen when DME staff let’s their guard down.  Re-educate your staff on the importance of HIPAA and patient privacy in general and establish a culture that respects this privacy as a sacred right.  Make sure that culture permeates all departments from billing and in store customer service to the delivery personnel and clinicians that go out into the community to provide care and services. Make it a “respect issue” and an ingrained behavior to always respect patient privacy.

Check Your Compliance with the HIPAA Standards!


Topics: HIPAA, Patient Privacy